Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
0
Helpful
1
Replies

Microsoft CA server CRL

ric.james
Community Member

‎08-20-2004 05:49 AM

I am attempting to get a pair of routers to set up IPSEC using a certificate server to start the ball rolling. I have the whole thing working just fine as long as my trustpoint has a "crl optional" configuration set for it. I need to have the routers query the CRL whenever the "offsite" router attempts to establish the IPSEC tunnel to the "headquarters" router.

I have used the "crl query" command in the trustpoint and I'm using the ldap URL out of the certificates the routers have received verbatim. The routers tell me they cannot resolve the server name. Does anyone have an example of what the MS ldap url is supposed to look like?

Thanks.

Labels:
0 Helpful
1 Reply 1

ric.james
Community Member

‎08-20-2004 08:26 AM

Additional info: Here's the trustpoint config as it exists in the router.

crypto ca trustpoint msca

enrollment mode ra

enrollment url http://10.128.0.5:80/certsrv/mscep/mscep.dll

serial-number

subject-name cn=HQ.agency.gov, ou=ITOD, o=agency, l=Washington, st=DC, c=US, ea=test@agency.gov

crl query ldap:///CN=caserv.agency.gov(1),CN=tacacs2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab1b972,DC=agency?certificateRevocationList?base?objctclass=cRLDistributionPoint

The router has debug pki messages and transactions running. When I try to pull the CRL onto this router, it tells me it cannot resolve the server name and therefore can't find it. The DNS service is set up and the router can ping and trace to it by name.

Any ideas?

0 Helpful
Customers Also Viewed These Support Documents