Hello,
I am facing the same problem as here: https://supportforums.cisco.com/thread/2047836.
The main ideea is that I want to implement secure gre over ipsec with digital certificates. The problem is that I want to do everything off-line (with copy/paste), even the revocation checking (by using a crl file copy/pasted form the CA on a microsoft IIS http server, because I don't have the possibility to use a ldap server).
Everything goes well untill I want to check the crl. At that point the routers are showing "error #705h" after reading the crl file (I know that the file is read because I can see the content of it if I do debug, the error is shown afterwards).
If I issue the "show crypto pki crls" command, nothing is shown, so the routers are not loading the crl file.
The hierarchy is as follows: ROOT_CA --> 1st SUB_CA --> 2nd SUB_CA --> routers (the routers are not connected with the CAs, I am loading all certificates by hand with copy/paste).
Is it even possible to do everything off-line, or do I need at least the last SUB_CA to be on-line with the routers?
Thanks in advance,
Narcis Antonie