PKI Split VRF in Trustpoint

simone.c · ‎11-09-2023

Hello community!

I need to configure a trustpoint where the CA and OCSP server are reachable from different VRFs. I just discovered the feature "PKI Split VRF in Trustpoint", see Cisco document https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-16-12/sec-pki-xe-16-12-book/sec-pki-split-vrf.html.

The document mentions two examples:

Enrollment and Certificate Revocation List Via Same VRF

The following example shows how to configure the enrollment and certificate revocation list (CRL) via the same VRF:

crypto pki trustpoint trustpoint1
	enrollment url http://10.10.10.10:80
	vrf vrf1
	revocation-check crl

Enrollment and Certificate Revocation List Via Different VRF

The following example shows how to configure the enrollment and certificate revocation list (CRL) via different VRF:

crypto pki profile enrollment pki_profile
 enrollment url http://10.10.10.10:80 vrf vrf2

crypto pki trustpoint trustpoint1
 enrollment profile pki_profile
 vrf vrf1
 revocation-check crl

My problem is that I need the enrolment to CA to happen via global routing space and the communication with OCSP to happen via VRF. Is this possible? Would this work:

crypto pki profile enrollment pki_profile
 enrollment url http://10.10.10.10:80 <---- no vrf

crypto pki trustpoint mytrustpoint
 enrollment profile pki_profile
 vrf vrf1
 revocation-check OCSP
 ocsp url http://20.20.20.20

MHM Cisco World · ‎11-18-2023

crypto pki profile enrollment pki_profile
 enrollment url http://10.10.10.10:80 <---- no vrf

crypto pki trustpoint mytrustpoint
 enrollment profile pki_profile
 vrf vrf1 <<- this make CA connect via vrf1 not ocsp.
 revocation-check OCSP
 ocsp url http://20.20.20.20

So I think this not work.