Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
0
Replies

How can I use an HTTP endpoint for a CRL Query? IOS wants LDAP only.

david-broome
Level 1
Level 1

‎04-22-2020 08:20 PM

The below is all for an 867VAE-K9 running 15.4(3)M10.

 

I've imported a certificate to my router to use for a IKEv2 VPN server.

 

The certificate includes a cRLDistrubutionPoint extension with an HTTP URL specified which IOS shows when showing PKI certificates, but IOS shows no CRLs when explicitly showing the CRLs:

HOST#show crypto pki certificates
  Certificate
  Status: Available
  Certificate Serial Number (hex): 00EA9801
  Certificate Usage: General Purpose
  Issuer: 
    cn=Test Intermediate CA
    o=MyVPN
    c=NZ
  Subject:
    Name: test.vpn.local
    cn=test.vpn.local
    o=MyVPN
    c=NZ
  CRL Distribution Points: 
    http://myvpn/crls/21.crl
  Validity Date: 
    start date: 13:22:25 NZST Apr 23 2020
    end date: 13:22:25 NZST Apr 23 2023
  Associated Trustpoints: my-trustpoint 
  Storage: nvram:myvpntest#8B45.cer

HOST#show crypto pki crls
HOST#

 

I then tried to manually specify the CRL location in the trustpoint as follows but it says it requires an LDAP location:

 

 

HOST(config)#crypto pki trustpoint my-trustpoint
HOST(ca-trustpoint)#crl query http://myhost/ca.crl
% URL must begin with ldap://

 

The top of page 5 of this document seems to suggest that the crl query command can support an HTTP endpoint, so what am I missing that's blocking me from using that?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card