06-19-2004 03:58 AM
Hello
I have a question regarding crl on the MS CA (SCEP) with Router
When I issue the crypta ca crl request command the CA sends the CRL (I can see it with an analyser)
Also seems that the router recieves it, since the
debug crypto pki messages command
shows a lot of hex numbers.
I can find the serial number of the revoked certificates exactly in the hex codes displayed.
But there is no crl list in the running config, and also the show crypto ca crl shows only the following
#sh crypto ca crls
CRL Issuer Name:
CN = PK-CA, OU = PK, O = PK, L = abcd, ST = abcd, C = IT, EA = pk@abc.abc
LastUpdate: 13:32:47 MESZ Jun 19 2004
NextUpdate: 15:07:47 MESZ Jun 19 2004
Retrieved from CRL Distribution Point:
http://pk_server/CertEnroll/PK-CA.crl
So communication with the CA (and also with the CRL DP is possible), but there is no information about the revoked certificates (serial number etc)
I have not configured not to save the Certificates and the crl in nvram.
The certificates are in the config as usual.
I always read that the crl should be in the config/Nvram after retrieved.
Has it to do with the fact that the MS CA uses an RA?
Thanks a lot for any idea
Paul
06-19-2004 09:15 AM
Hi Paul,
The command 'show crypto ca crl' will not display the actual list of serial numbers of the certificates that have been revoked. It will only list the CRL Issuer information (i.e. CN, OU, etc) and information about the CDP and when the next update will be (as shown in the output you included previously).
In your case it indeed looks like the CRL is being pulled correctly from the CRL server, as you mentioned. I assume that you do not have "crl optional" configured under your trustpoint. If this is configured the CRL will never be checked. Assuming that this is not configured, we will probably have to look at the IKE debugs (debug crypto isakmp and debug crypto verbose) and verify that the correct certificate serial number is being recognized. What is the version of IOS you are running?
Regards,
Omar
06-20-2004 01:39 AM
hello Omar
Thanks for your help.
I don't have "crl optional" configured.
Actually this is a testing implementation and I do not have any IKE Peers at the moment.
My primary question is: Why I don't see any references to the revoked certificates in the running-config.
I have found in the documentation, that in the config should be the certificates (they are there) AND the revoked certifcates (i suppose serial number etc., they are not there)
When I issue
crypto ca crl request MYCA
i see the hex code I mentioned in the previous message.
So the CA sends the CRL and the router also seem to receive it.
But there is no reference in the config to the single revoked certificates.
Is it stored in the NVRAM only uppon first real IKE request?
Perhaps everthing works fine, so that revoked certificates won't be acceppted. Perhaps they the references to the single revoked certificates are NOT stored in config/nvram?
Thanks for your help on that issue!
I use 12.2.21
For clearance I append some line from show runn after I invoked "crypto ca crl request MYCA"
....
crypto ca identity MYCA
enrollment mode ra
enrollment url http://pk_server:80/certsrv/mscep/mscep.dll
crypto ca certificate chain MYCA
certificate 610C3AAD000000000020
308203A5 ....
quit
certificate ra-sign 6135BB3F000000000002
30820435 ....
quit
certificate ra-encrypt 6135BCF5000000000003
30820435 ....
quit
certificate ca 73C951EAFA3925854D33BF29918BB9F4
308202B6 ....
quit
!
!
interface Ethernet0
....
So you see there is no reference to any revoked certificates
Show crypto ca crls gives this (so communications is working)
test#sh crypto ca crls
CRL Issuer Name:
CN = PK-CA, OU = PK, O = PK, L = x, ST = x, C = IT, EA = x@x.x
LastUpdate: 08:48:22 UTC Jun 20 2004
NextUpdate: 10:23:22 UTC Jun 20 2004
Retrieved from CRL Distribution Point:
http://pk_server/CertEnroll/PK-CA.crl
Best regards
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide