Re: CRL not found in NVRAM/Config

paul.knoll · ‎06-19-2004

Hello

I have a question regarding crl on the MS CA (SCEP) with Router

When I issue the crypta ca crl request command the CA sends the CRL (I can see it with an analyser)

Also seems that the router recieves it, since the

debug crypto pki messages command

shows a lot of hex numbers.

I can find the serial number of the revoked certificates exactly in the hex codes displayed.

But there is no crl list in the running config, and also the show crypto ca crl shows only the following

#sh crypto ca crls

CRL Issuer Name:

CN = PK-CA, OU = PK, O = PK, L = abcd, ST = abcd, C = IT, EA = pk@abc.abc

LastUpdate: 13:32:47 MESZ Jun 19 2004

NextUpdate: 15:07:47 MESZ Jun 19 2004

Retrieved from CRL Distribution Point:

http://pk_server/CertEnroll/PK-CA.crl

So communication with the CA (and also with the CRL DP is possible), but there is no information about the revoked certificates (serial number etc)

I have not configured not to save the Certificates and the crl in nvram.

The certificates are in the config as usual.

I always read that the crl should be in the config/Nvram after retrieved.

Has it to do with the fact that the MS CA uses an RA?

Thanks a lot for any idea

Paul

omsantos · ‎06-19-2004

Hi Paul,

The command 'show crypto ca crl' will not display the actual list of serial numbers of the certificates that have been revoked. It will only list the CRL Issuer information (i.e. CN, OU, etc) and information about the CDP and when the next update will be (as shown in the output you included previously).

In your case it indeed looks like the CRL is being pulled correctly from the CRL server, as you mentioned. I assume that you do not have "crl optional" configured under your trustpoint. If this is configured the CRL will never be checked. Assuming that this is not configured, we will probably have to look at the IKE debugs (debug crypto isakmp and debug crypto verbose) and verify that the correct certificate serial number is being recognized. What is the version of IOS you are running?

Regards,

Omar

paul.knoll · ‎06-20-2004

hello Omar

Thanks for your help.

I don't have "crl optional" configured.

Actually this is a testing implementation and I do not have any IKE Peers at the moment.

My primary question is: Why I don't see any references to the revoked certificates in the running-config.

I have found in the documentation, that in the config should be the certificates (they are there) AND the revoked certifcates (i suppose serial number etc., they are not there)

When I issue

crypto ca crl request MYCA

i see the hex code I mentioned in the previous message.

So the CA sends the CRL and the router also seem to receive it.

But there is no reference in the config to the single revoked certificates.

Is it stored in the NVRAM only uppon first real IKE request?

Perhaps everthing works fine, so that revoked certificates won't be acceppted. Perhaps they the references to the single revoked certificates are NOT stored in config/nvram?

Thanks for your help on that issue!

I use 12.2.21

For clearance I append some line from show runn after I invoked "crypto ca crl request MYCA"

....

crypto ca identity MYCA

enrollment mode ra

enrollment url http://pk_server:80/certsrv/mscep/mscep.dll

crypto ca certificate chain MYCA

certificate 610C3AAD000000000020

308203A5 ....

quit

certificate ra-sign 6135BB3F000000000002

30820435 ....

quit

certificate ra-encrypt 6135BCF5000000000003

30820435 ....

quit

certificate ca 73C951EAFA3925854D33BF29918BB9F4

308202B6 ....

quit

!

interface Ethernet0

....

So you see there is no reference to any revoked certificates

Show crypto ca crls gives this (so communications is working)

test#sh crypto ca crls

CRL Issuer Name:

CN = PK-CA, OU = PK, O = PK, L = x, ST = x, C = IT, EA = x@x.x

LastUpdate: 08:48:22 UTC Jun 20 2004

NextUpdate: 10:23:22 UTC Jun 20 2004

Retrieved from CRL Distribution Point:

http://pk_server/CertEnroll/PK-CA.crl

Best regards

Paul