Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Does Cisco ISE 2.0 Support CRL ?

Dear support,

I want to configure Certificate Revocation List (CRL) on Cisco ISE version 2.0 but I can not find the configuration section for CRL, however OCSP configuration section is there.

I've done some researches and I found that configuring CRL was supported (at least on version 1.2), but on version 2.0 there is not any documentation about this (at least I couldn't find any). On this version "OCSP Client Profile" is the only section that can be found (under Administration > System > Certificates.

So the question is whether CRL is supported or OCSP is the only way on this version? If yes, how?

Thanks

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Ah OK. you configure what you

Ah OK. You configure what you are asking about under the Administration > System > Certificates  > Trusted Certificates section.

Edit the CA for whom you wish to retrieve their CRL and you will see the section below (open in new tab to zoom) where you can enter the URL for CRLs:

6 REPLIES
Hall of Fame Super Silver

Do you want ISE to publish a

Moved this thread to the correct forum for better engagement with and visibility to the community.

Do you want ISE to publish a CRL when acting as a CA or do you want it to use CRL(s) from external CA(s)?

The first is not a supported feature.

The second is configurable per CA. Look under Administration > System > Certificates > Certificate Management > Certificate Periodic Check Settings. (per the ISE 2.2 Admin Guide)

New Member

Hi Marvin,

Hi Marvin,

Thanks for your reply.

Yes, I want to use CRL(s) from external CA(s). That section where you are pointing to is for checking the downloaded CRL(s) ("Cisco ISE checks the Certificate Revocation Lists (CRL) periodically. Using this page, you can configure Cisco ISE to check ongoing sessions against CRLs that are downloaded automatically").

But my problem is that I don't know where I can configure the CRL(s) providers. In other words, where can I tell ISE "check this url which is the CRL provider/server's url and download the latest CRL" ?

I have an option which is "OCSP Client Profile" and I can set up OCSP provider(s) in there. But what about CRL?

I've attached a screenshot of options I have under Administration > System > Certificates 

Hall of Fame Super Silver

Ah OK. you configure what you

Ah OK. You configure what you are asking about under the Administration > System > Certificates  > Trusted Certificates section.

Edit the CA for whom you wish to retrieve their CRL and you will see the section below (open in new tab to zoom) where you can enter the URL for CRLs:

New Member

Hi Marvin,

Hi Marvin,

You are a life saver :) That's exactly what I was looking for.

So I have one CA server and 2 intermediate servers which are part of my certificate chain (Root < intermediate server 1/2 < Certificate). Those two intermediate servers are issuing server which are running in load balancing mode.

My final question is, "doing this step for both of those issuing servers is enough or I should do that for Root CA as well?"

Thanks

Hall of Fame Super Silver

The Admin Guide tells us "For

The Admin Guide tells us "For each CA certificate that can sign a client certificate, specify how to do the revocation status check for that CA."

I interpret that to mean you would do that for each issuing server (and not the root CA).

New Member

Thanks a lot!

Thanks a lot!

You made my day!

148
Views
10
Helpful
6
Replies
CreatePlease to create content