Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CVPN3005 Support for CRL on Microsoft CA Server

I've tried to get my PIX to look at a CRL on my MS CA Server and aparently its not a feature that works on the PIX 515 v6.2(2).

Does this work on the CVPN3005? I have a Standalone CA and an Enterprise CA in my MS AD Network. I'd like to be able to have my Clients obtain a Cert from the Enterprise CA Server and use the Cisco Client to get in to the 3005. I also want to be able to revoke the Cert and make it so the Client no longer has access.

We have not been able to get this to work at all with the PIX and MS CA Server.

Before I go out and spend the money on the 3005 I'd like to make sure someone else out there is doing this....

Thanks,

Scott<-

  • Other Security Subjects
12 REPLIES
Cisco Employee

Re: CVPN3005 Support for CRL on Microsoft CA Server

Hi Scott,

Looking through your questions, the following are the URLs: http://www.cisco.com/warp/customer/471/crl_ldap_5404.html

http://www.cisco.com/warp/customer/471/crl-http-vpn3k.html

for a detailed note of how CRLs work with the CVPN3000, and I have personally gotten these to work using these URLs.

As for the PIX firewall, I would suggest opening up a case with the TAC and working with them to reproduce the issue and file a bug on it in case it doesn't work for you.

Hope this helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-

New Member

Re: CVPN3005 Support for CRL on Microsoft CA Server

Thanks for the reply....

I'll give the URLs a look see. I do have a few cases open with the TAC and we dont seem to be getting anywhere. )-;

Thanks,

Scott<-

New Member

Re: CVPN3005 Support for CRL on Microsoft CA Server

I've tested this several times, works just fine as long as you have AD installed or pointing to a AD server. One of the problems you might run into if you are just setting this up is that Microsofts CRL is valid for a week by default. So if you are deleting certificates, that CRL list will be updated, but it wont be published until the old crl list expires. So when you try testing this after deleting your certificate you find that you can still connect just fine. You would think that this should be automatic on the Microsoft CA server but its not. You can change the default or you can manually publish the new crl list which as far as the pix is concerned it thinks that it is the most current. But until you do the pix will continue to download the old crl even when manually requesting it on the pix. To publish it, under your CA server, right click on your revoked certificates to publish a new one, you can also go into its properties to change the default from one week to a new value.;

Kurtis Durrett

New Member

Re: CVPN3005 Support for CRL on Microsoft CA Server

Well then maybe I'm doing something wrong on the PIX.

The TAC Engr said that They haven't tested the PIX with a MS CA Enterprise Mode Server, just the Standalone CA Server. In the Standalone setup there is no AD to point to. Maybe thats's my problem?

When I do the Enrollment on the PIX I get the Following debug. Its not specific about the Warning if it has an issue with the Cert, Private Key or the CRL, jsut that there is an issue.

Is this normal? How do you specify the location/server for the CRL as opposed to the CA?? I dont see where they can be different (on the PIX)

Thanks,

Scott<-

harlie(config)# ca enroll enmvpn cisco1

%

% Start certificate enrollment ..

% The subject name in the certificate will be: charlie.haydon-mill.com

CI thread sleeps!

Crypto CA thread wakes up!

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

charlie(config)#

CI thread wakes up!

CRYPTO_PKI: transaction PKCSReq completed

CRYPTO_PKI: status:

Crypto CA thread sleeps!

PKI: key process suspended and continued

CRYPTO_PKI: http connection opened

CRYPTO_PKI: received msg of 2548 bytes

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL

CRYPTO_PKI: signed attr: pki-message-type:

13 01 33

CRYPTO_PKI: signed attr: pki-status:

13 01 30

CRYPTO_PKI: signed attr: pki-recipient-nonce:

04 10 80 56 b9 20 ef 52 29 a3 4e 61 e7 fa a7 ef 9f f1

CRYPTO_PKI: signed attr: pki-transaction-id:

13 20 37 31 31 36 35 35 65 64 39 66 34 37 39 62 38 61 31 65

65 32 64 32 36 65 30 37 66 39 63 34 33 64

CRYPTO_PKI: status = 100: certificate is granted

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL

CRYPTO_PKI: All enrollment requests completed.

CRYPTO_PKI: All enrollment requests completed.

New Member

Re: CVPN3005 Support for CRL on Microsoft CA Server

The location of the crl list will be determined by the CA server when you set it up. If you install AD on the CA server, which you should install first before the CA, then it points to itself. Otherwise, you are prompted when setting ip up to change the path. Then when you get your certificate from the server on the pix, the CRL location will be listed as part of the certificate itself. So there is no additional configuration on the pix you need to do, its all on the server and when you set it up. In IOS, you can actually specify a different location for the LDAP server query, just not available in the pix.

Kurtis Durrett

New Member

Re: CVPN3005 Support for CRL on Microsoft CA Server

The Lines of code on the PIX are as follows:

ca identity myvpn 10.1.0.249:/certsrv/mscep/mscep.dll

ca configure myvpn ra 1 20

The CRL from the Cert on the Server is as follows:

[1]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=ldap:///CN=myvpn,CN=bugsbunny,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MyDC,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint

[2]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=http://bugsbunny.MyDC.com/CertEnroll/myvpn.crl

Where Bugsbunny.mydc.com is reachable from the PIX and is the same address as the MS Standalone CA 10.1.0.249.

If I go to the URL listed above, the CRL is there. When I revoked the Cert I did Publish the new CRL.

What about the Warning when I did the Enroll?

Thank you for your help!!!!

Scott<-

New Member

Re: CVPN3005 Support for CRL on Microsoft CA Server

Can you do a "show ca crl" to see if you have a crl. The warning is normal, i've never seen it without it, its certificate, private key or crl warning. Even with mine is still working. You do have active directory installed right?

Kurtis Durrett

New Member

Re: CVPN3005 Support for CRL on Microsoft CA Server

Yes I do have AD installed, though since the CA Server is setup as Standalone, what does it matter?

I'm at home and am having some issues conencting to the PIX to get the sh ca crl info. The Console port Is not letting me in and neither is telnet, though I know its working because I'm PPTPd into it now. Hmmm...

Thanks,

Scott<-

New Member

Re: CVPN3005 Support for CRL on Microsoft CA Server

This will work with a standalone or enterprise. Only difference in setup is that in order to setup enterprise, Active Directory must be installed to get that option to use Enterprise. With standalone, its not required. Did you install AD after installing the standalone?

Correction: you can point it to a different ldap server on the pix, its part of the ca ident command.

But this wont affect you as its the same as your CA server so you dont need to point it there. Hope you can get those access issues worked out.

Kurtis

190
Views
0
Helpful
12
Replies