cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3579
Views
5
Helpful
5
Replies

Problem with ASA, Certificates and CRL

stephan.ochs
Level 1
Level 1

Hi there

I have an ASA5550 with 8.0(3).

Our clients authenticate with a certificate enrolled from SubCA.

The SubCA-certificate enrolled to the ASA contains a CRL Distribution Point that is not reachable from ASA so i had to manually configure another one (via "crl configure...url...").

This CRL contains the path to the Delta CRL and it should be reachable from ASA (same path as manually configured) but the ASA doesn't retrieve the Delta CRL.

Revoked certificates still can get in...

Any hint/solution?

Thanks

Stephan

5 Replies 5

rate
Level 1
Level 1

Hi,

Did you ever get this solved? I've got the same problem. I can request the CRL list from our ASA (from our internal CA server) succesfully, but clients still get in even if I revoke their computer certificates.

/Rasmus

Hi Rasmus

Do you have the problem with Delta CRL or always?

With Delta CRL I got the answer from Cisco, that it isn't supported by ASA.

Maybe now it is, with a newer version, but I don't know.

We are using CRLs without Delta-List and it works.

Did you check your config?

There are options wether and how to check CRLs.

ASDM:

Configuration/Remote Access VPN/Certificate Management/CA Certificates

Mark CA and klick

See first page "Revocation Check"

Hi Stephan,

Thanks for your reply, but I just fixed it! There was a number of things wrong - all my fault

If the ASA doesn't support delta-crl will it just always get the full list or what? Even if delta is enabled at the CA server? Do I need to configure anything?

/Rasmus

Yes it will. We were wondering, why newly revoked certificates were still able to get in.

Then we found out that it concerned all certificates in Delta-CRL.

We switched the CA back to write full CRL and everything was fine.

This was in May 2009.

I got the following answer from Cisco:

...

From your problem description I understand you would like to use DELTA-CRL on the ASA. This feature is unfortunately not supported at the moment. I did not find any roadmap on this either. The alternative would be to use OCSP but I guess you already thought about it.

At this point, I would strongly suggest you to contact your local Cisco Account team. They will open a PER (Product Enhancement Request) and communicate your business impact to try to get it implemented fast.

...

I don't know, wether it is implemented now...

Greetings

Stephan

rate
Level 1
Level 1

I just tried with Delta CRL and it didn't work. Adjusted our CA server to generate full CRL's often. THanks for your help!

/Rasmus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: