Problem with ASA, Certificates and CRL

Unanswered Question
Apr 28th, 2009
User Badges:

Hi there


I have an ASA5550 with 8.0(3).

Our clients authenticate with a certificate enrolled from SubCA.

The SubCA-certificate enrolled to the ASA contains a CRL Distribution Point that is not reachable from ASA so i had to manually configure another one (via "crl configure...url...").

This CRL contains the path to the Delta CRL and it should be reachable from ASA (same path as manually configured) but the ASA doesn't retrieve the Delta CRL.

Revoked certificates still can get in...


Any hint/solution?


Thanks


Stephan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rate Mon, 06/28/2010 - 01:58
User Badges:

Hi,


Did you ever get this solved? I've got the same problem. I can request the CRL list from our ASA (from our internal CA server) succesfully, but clients still get in even if I revoke their computer certificates.


/Rasmus

stephan.ochs Mon, 06/28/2010 - 02:07
User Badges:

Hi Rasmus


Do you have the problem with Delta CRL or always?


With Delta CRL I got the answer from Cisco, that it isn't supported by ASA.

Maybe now it is, with a newer version, but I don't know.

We are using CRLs without Delta-List and it works.


Did you check your config?

There are options wether and how to check CRLs.

ASDM:

Configuration/Remote Access VPN/Certificate Management/CA Certificates

Mark CA and klick

See first page "Revocation Check"

rate Tue, 06/29/2010 - 01:35
User Badges:

Hi Stephan,


Thanks for your reply, but I just fixed it! There was a number of things wrong - all my fault


If the ASA doesn't support delta-crl will it just always get the full list or what? Even if delta is enabled at the CA server? Do I need to configure anything?


/Rasmus

stephan.ochs Tue, 06/29/2010 - 01:47
User Badges:

Yes it will. We were wondering, why newly revoked certificates were still able to get in.

Then we found out that it concerned all certificates in Delta-CRL.

We switched the CA back to write full CRL and everything was fine.


This was in May 2009.

I got the following answer from Cisco:

...

From your problem description I understand you would like to use DELTA-CRL on the ASA. This feature is unfortunately not supported at the moment. I did not find any roadmap on this either. The alternative would be to use OCSP but I guess you already thought about it.

At this point, I would strongly suggest you to contact your local Cisco Account team. They will open a PER (Product Enhancement Request) and communicate your business impact to try to get it implemented fast.

...


I don't know, wether it is implemented now...


Greetings


Stephan

rate Tue, 06/29/2010 - 03:24
User Badges:

I just tried with Delta CRL and it didn't work. Adjusted our CA server to generate full CRL's often. THanks for your help!


/Rasmus

Actions

This Discussion