Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
0
Replies

ASA5515-X (9.4.1) CRL ignore

seacompsro
Level 1
Level 1

‎02-08-2016 08:47 AM

Hi All,

I am trying to configre CA certificate for VPN users to be able to connect using certificate on smartcard.

I have added our local MS Certificate authority to crypto ca trustpoint  and configured "Accept certificates issued by this CA". So far so good, but CRL doesn't work as expected.

1)ASA was not able to parse CRL url path from certificate (workaround is to configure static URL) 

2)Revocation check tab  - here is the biggest problem

    -Check certificates for revocation -> [Set for CRL only]

    -Consider certificate valid if revocation information cannot be retrieved [checked]

"Consider certificate valid" ignores CRL list. I have placed user certificate to Revoked certificates and published CRL. When this checkbox was not checked, I could not log (Certificate chain failed validation. Certificate is revoked. ). After making this checkbox active, user with the same certificate could log without problem. 

I think this is bug. The "consider certificate valid" should allow users to login only when CRL path is unavailable. If I do not want to check CRL, I configure "Do not check certificates for revocation".

Here is relevant config part:

crypto ca trustpoint ASDM_TrustPoint54
revocation-check crl
enrollment terminal
validation-usage ssl-client
no accept-subordinates
crl configure
policy static
url 1 http://local.ca/CertEnroll/localCA.crl
cache-time 1
no protocol ldap
no protocol scep

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents