Configuring crl when using certificates for vpn connection

Unanswered Question
Feb 6th, 2009
User Badges:

Dear all,

i have established a successfull Hub&Spoke DMVPN connection between routers, but i'm not using a pre-shared key, i'm using a certificates that i could enroll from a CA server where i installed mscep.

My configuration worked when i had put

"revocation-check none"

now i need to use the crl, anyone can advice on that pls..

crypto pki trustpoint CASrv1

enrollment mode ra

enrollment url


revocation-check none

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 02/06/2009 - 10:50
User Badges:
  • Cisco Employee,

You need to check that your CA server has CRL publishing enabled, if the Hub is unable to contact the CRL server and download the List, then it will not accept the connection. To test you can set the revocation to optional while troubleshooting why your crl is not coming down.

As a configuration, you need to make sure that your CRL link is reachable via your selected protocol. For example, your CA server when giving you your certificate gives you as well your CDP distribution point, usually that url contains the hostname of your CA server and if this server is not found my name resolution then your router will not be able to find it.

imadjabboury Fri, 02/06/2009 - 14:05
User Badges:

"As a configuration, you need to make sure that your CRL link is reachable via your selected protocol"

how can i know the url of crl link since it arriveswith the certificate as i understood

and do i hve any added configuration on my router, other than changing the revocation-list value ???

Ivan Martinon Fri, 02/06/2009 - 14:12
User Badges:
  • Cisco Employee,

You can modify the value with the cdp-url configuration under the CRL mode of your router.


This Discussion