RE: IOS CA and CRL Distribution Point

Hmmmm, but if I browse the the CRL URL n ym laptop, I can see the list if
serial numbers that have been revoked :-(

Seems like the CRLs are not showing up on R5 or R6 for some reason...

-----Original Message-----
From: Darren Johnson [mailto:dazza_johnson_at_yahoo.co.uk]
Sent: 26 November 2009 15:04
To: 'Tyson Scott'; 'Sadiq Yakasai'; 'Cisco certification'; 'Cisco
certification'
Subject: RE: IOS CA and CRL Distribution Point

Hi guys, did you ever get this working? I have 3 routers. R4=CA, R5 and R6
both enrolled. When I try and revoke R6 certificate, I can still see R5
accepting it (when I run IKE phase 1). I have tried to manually force R5 to
receive the CRL via 'crypto pki crl request My-CA' but there is nothing
regarding R6s revoked certificate when I enter 'show crypto pki crls' ???

Can anyone help ?

Thanks
Darren

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Tyson Scott
Sent: 10 August 2009 21:29
To: 'Sadiq Yakasai'; 'Cisco certification'; 'Cisco certification'
Subject: RE: IOS CA and CRL Distribution Point

Sadiq,

The URL should be like the following:

cdp-url http://<ip_or_hostname>/cgi-bin/pkiclient.exe?operation=GetCRL

You can do it differently if you only have SCEP clients but as the above URL
string will work with all client types I recommend using the URL as shown
above.

Regards,
 
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: tscott_at_ipexpert.com
 
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
 
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
Lab Certifications.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Monday, August 10, 2009 3:19 PM
To: Cisco certification; Cisco certification
Subject: IOS CA and CRL Distribution Point

Hi guys,

I am trying to get information about configuration of a CRL on IOS CA. I
have done abit of the searching on CCO but cant seem to lay a finger on the
right document. A few questions I have in mind are:

1. Is the CRL configurable on the IOS CA at all?
2. Is there a default CRL when IOS CA is configured on a Cisco device?

What I am trying to do is figure a CDP on a router (its a 2800 series router
running 12.4T) against one of its interfaces. But I am just not completely
sure what the URL should look like. For example (the IP address belongs to
one of the interfaces of the router):

crypto pki server IOSCA
 grant auto
 lifetime crl 24
 *cdp-url
**http://163.1.12.2/test.iosca.crl*<http://163.1.12.2/test.iosca.crl>

Any tips or pointers to a document I can read this up would be really
appreciated.

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net