Re: IOS CA and CRL Distribution Point

Perhaps a stupid question, but did you change the "revocation-check"
parameter to crl from none? From what I remember, the default is not to
check the CRL. TO answer your previous question, you can also use SCEP. If
you are using SCEP, all you need on the spoke routers is the enrollment URL
as http and have http enabled on the IOS CA. The spokes or client will
download the CRL automatically via SCEP. You do not need CDP in that case.

show crypto ca crl

:P

On Thu, Nov 26, 2009 at 7:19 AM, Darren Johnson
<dazza_johnson_at_yahoo.co.uk>wrote:

> Hmmmm, but if I browse the the CRL URL n ym laptop, I can see the list if
> serial numbers that have been revoked :-(
>
> Seems like the CRLs are not showing up on R5 or R6 for some reason...
>
> -----Original Message-----
> From: Darren Johnson [mailto:dazza_johnson_at_yahoo.co.uk]
> Sent: 26 November 2009 15:04
> To: 'Tyson Scott'; 'Sadiq Yakasai'; 'Cisco certification'; 'Cisco
> certification'
> Subject: RE: IOS CA and CRL Distribution Point
>
> Hi guys, did you ever get this working? I have 3 routers. R4=CA, R5 and R6
> both enrolled. When I try and revoke R6 certificate, I can still see R5
> accepting it (when I run IKE phase 1). I have tried to manually force R5 to
> receive the CRL via 'crypto pki crl request My-CA' but there is nothing
> regarding R6s revoked certificate when I enter 'show crypto pki crls' ???
>
> Can anyone help ?
>
> Thanks
> Darren
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Tyson Scott
> Sent: 10 August 2009 21:29
> To: 'Sadiq Yakasai'; 'Cisco certification'; 'Cisco certification'
> Subject: RE: IOS CA and CRL Distribution Point
>
> Sadiq,
>
> The URL should be like the following:
>
> cdp-url http://<ip_or_hostname>/cgi-bin/pkiclient.exe?operation=GetCRL
>
> You can do it differently if you only have SCEP clients but as the above
> URL
> string will work with all client types I recommend using the URL as shown
> above.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Cell: +1.248.504.7309
> Fax: +1.810.454.0130
> Mailto: tscott_at_ipexpert.com
>
> Join our free online support and peer group communities:
> http://www.IPexpert.com/communities
>
> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
> Demand
> and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
> Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
> Lab Certifications.
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Monday, August 10, 2009 3:19 PM
> To: Cisco certification; Cisco certification
> Subject: IOS CA and CRL Distribution Point
>
> Hi guys,
>
> I am trying to get information about configuration of a CRL on IOS CA. I
> have done abit of the searching on CCO but cant seem to lay a finger on the
> right document. A few questions I have in mind are:
>
> 1. Is the CRL configurable on the IOS CA at all?
> 2. Is there a default CRL when IOS CA is configured on a Cisco device?
>
> What I am trying to do is figure a CDP on a router (its a 2800 series
> router
> running 12.4T) against one of its interfaces. But I am just not completely
> sure what the URL should look like. For example (the IP address belongs to
> one of the interfaces of the router):
>
> crypto pki server IOSCA
> grant auto
> lifetime crl 24
> *cdp-url
> **http://163.1.12.2/test.iosca.crl*<http://163.1.12.2/test.iosca.crl>
>
> Any tips or pointers to a document I can read this up would be really
> appreciated.
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Nov 29 2009 - 01:57:03 ART