Cisco Support Community
Community Member

Obtaining Windows 2000 CRL on a router

I'm configuring a number of devices with site-to-site VPNs, using Microsoft Windows 2000 Certificate Services to provide the certificates.

I have got the connections up and running successfully; however, when downloading the CRL I find that it does not contain the revoked certificates - hence the VPNs stay active.

Has anyone experienced similar problems, or have any suggestions as to a solution?

Many thanks, Matt


Re: Obtaining Windows 2000 CRL on a router

Community Member

Re: Obtaining Windows 2000 CRL on a router

The default time period for a crl list on Microsoft servers is one week. So unless you publish a new crl list from the server, you will continue to get the old crl list until the server automatically publish's a new crl list. Nothing on IOS that you can do about that as its a server configuration. On your revoked section, right click and publish a new crl list. The router will then get the updated crl list on the next cert connection. You might have to do a crypto ca crl request on the router to get that pulled down. But as the above link stated, make sure your running 12.2.8T or above.

Kurtis Durrett

CreatePlease to create content