RE: IOS CA and CRL Distribution Point

Darren,

I remember one mistake I made was choosing the wrong interface that was
NAT'ed in another task.

On R5 and R6 when you issue "show crypto pki certificates" does it list the
CDP URL you are expecting to reach from the other routers and is it an
address they can reach?

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto: tscott_at_ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

From: Piyoush Sharma [mailto:piyoush_at_gmail.com]
Sent: Sunday, November 29, 2009 4:57 AM
To: Darren Johnson
Cc: Tyson Scott; Sadiq Yakasai; Cisco certification; Cisco certification
Subject: Re: IOS CA and CRL Distribution Point

Perhaps a stupid question, but did you change the "revocation-check"
parameter to crl from none? From what I remember, the default is not to
check the CRL. TO answer your previous question, you can also use SCEP. If
you are using SCEP, all you need on the spoke routers is the enrollment URL
as http and have http enabled on the IOS CA. The spokes or client will
download the CRL automatically via SCEP. You do not need CDP in that case.

show crypto ca crl

:P

On Thu, Nov 26, 2009 at 7:19 AM, Darren Johnson <dazza_johnson_at_yahoo.co.uk>
wrote:

Hmmmm, but if I browse the the CRL URL n ym laptop, I can see the list if
serial numbers that have been revoked :-(

Seems like the CRLs are not showing up on R5 or R6 for some reason...

-----Original Message-----
From: Darren Johnson [mailto:dazza_johnson_at_yahoo.co.uk]
Sent: 26 November 2009 15:04
To: 'Tyson Scott'; 'Sadiq Yakasai'; 'Cisco certification'; 'Cisco
certification'

Subject: RE: IOS CA and CRL Distribution Point

Hi guys, did you ever get this working? I have 3 routers. R4=CA, R5 and R6
both enrolled. When I try and revoke R6 certificate, I can still see R5
accepting it (when I run IKE phase 1). I have tried to manually force R5 to
receive the CRL via 'crypto pki crl request My-CA' but there is nothing
regarding R6s revoked certificate when I enter 'show crypto pki crls' ???

Can anyone help ?

Thanks
Darren

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of

Tyson Scott
Sent: 10 August 2009 21:29

To: 'Sadiq Yakasai'; 'Cisco certification'; 'Cisco certification'
Subject: RE: IOS CA and CRL Distribution Point

Sadiq,

The URL should be like the following:

cdp-url http://<ip_or_hostname>/cgi-bin/pkiclient.exe?operation=GetCRL

You can do it differently if you only have SCEP clients but as the above URL
string will work with all client types I recommend using the URL as shown
above.

Regards,

Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: tscott_at_ipexpert.com

Join our free online support and peer group communities:
http://www.IPexpert.com/communities

IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
Lab Certifications.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Monday, August 10, 2009 3:19 PM
To: Cisco certification; Cisco certification
Subject: IOS CA and CRL Distribution Point

Hi guys,

I am trying to get information about configuration of a CRL on IOS CA. I
have done abit of the searching on CCO but cant seem to lay a finger on the
right document. A few questions I have in mind are:

1. Is the CRL configurable on the IOS CA at all?
2. Is there a default CRL when IOS CA is configured on a Cisco device?

What I am trying to do is figure a CDP on a router (its a 2800 series router
running 12.4T) against one of its interfaces. But I am just not completely
sure what the URL should look like. For example (the IP address belongs to
one of the interfaces of the router):

crypto pki server IOSCA
 grant auto
 lifetime crl 24
 *cdp-url
**http://163.1.12.2/test.iosca.crl*<http://163.1.12.2/test.iosca.crl>

Any tips or pointers to a document I can read this up would be really
appreciated.

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net