Solved: Do you want ISE to publish a

eric.hosseini · ‎05-31-2017

Dear support,

I want to configure Certificate Revocation List (CRL) on Cisco ISE version 2.0 but I can not find the configuration section for CRL, however OCSP configuration section is there.

I've done some researches and I found that configuring CRL was supported (at least on version 1.2), but on version 2.0 there is not any documentation about this (at least I couldn't find any). On this version "OCSP Client Profile" is the only section that can be found (under Administration > System > Certificates.

So the question is whether CRL is supported or OCSP is the only way on this version? If yes, how?

Thanks

Marvin Rhoads · ‎06-01-2017

Ah OK. You configure what you are asking about under the Administration > System > Certificates > Trusted Certificates section.

Edit the CA for whom you wish to retrieve their CRL and you will see the section below (open in new tab to zoom) where you can enter the URL for CRLs:

View solution in original post

Marvin Rhoads · ‎06-01-2017

Moved this thread to the correct forum for better engagement with and visibility to the community.

Do you want ISE to publish a CRL when acting as a CA or do you want it to use CRL(s) from external CA(s)?

The first is not a supported feature.

The second is configurable per CA. Look under Administration > System > Certificates > Certificate Management > Certificate Periodic Check Settings. (per the ISE 2.2 Admin Guide)

eric.hosseini · ‎06-01-2017

Hi Marvin,

Thanks for your reply.

Yes, I want to use CRL(s) from external CA(s). That section where you are pointing to is for checking the downloaded CRL(s) ("Cisco ISE checks the Certificate Revocation Lists (CRL) periodically. Using this page, you can configure Cisco ISE to check ongoing sessions against CRLs that are downloaded automatically").

But my problem is that I don't know where I can configure the CRL(s) providers. In other words, where can I tell ISE "check this url which is the CRL provider/server's url and download the latest CRL" ?

I have an option which is "OCSP Client Profile" and I can set up OCSP provider(s) in there. But what about CRL?

I've attached a screenshot of options I have under Administration > System > Certificates

Marvin Rhoads · ‎06-01-2017

Ah OK. You configure what you are asking about under the Administration > System > Certificates > Trusted Certificates section.

Edit the CA for whom you wish to retrieve their CRL and you will see the section below (open in new tab to zoom) where you can enter the URL for CRLs:

eric.hosseini · ‎06-01-2017

Hi Marvin,

You are a life saver :) That's exactly what I was looking for.

So I have one CA server and 2 intermediate servers which are part of my certificate chain (Root < intermediate server 1/2 < Certificate). Those two intermediate servers are issuing server which are running in load balancing mode.

My final question is, "doing this step for both of those issuing servers is enough or I should do that for Root CA as well?"

Thanks

Marvin Rhoads · ‎06-01-2017

The Admin Guide tells us "For each CA certificate that can sign a client certificate, specify how to do the revocation status check for that CA."

I interpret that to mean you would do that for each issuing server (and not the root CA).

eric.hosseini · ‎06-01-2017

Thanks a lot!

You made my day!

mhapsekar.suyog · ‎02-24-2020

Hi All,

My question is related to CRL but a bit diffrent.

We have deployed EAP-TLS method for wireless user authentication. if CRL server goes down then ISE will not be able to download CRL from it. In this case as the latest CRL is not available on the ISE will it still perform the authentication without any issues? any other impact happens?

Regards,

Suyog

Does Cisco ISE 2.0 Support CRL ?