Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX ldap/crl problem

We are adding certificates to a Cisco Pix 515 with V6.2(2) of the Pix software, the CA we are using is SmartTrust v3.5.10 with WebRA (including the SmartTrust SCEP servlet). Enrollment of the certificate from the SCEP solution works fine, but the Pix can't retrieve the CRL.

The CRL is stored in a Netscape LDAP directory, and the CRL Distribution Point (in short CDP) in the certificate is set to point to the location in the LDAP directory.

We are using the same solution for a Cisco Router 17xx with Cisco IOS v12.2(8)T, which retrieves the CRL from the LDAP directly without problems (using the CDP).

The different LDAP CDP's we have tried are:

ldap://hostname:389/cn=XXX%20CA-02,%20o=Customer%20Networks?certificateRevocationlist?base?objectclass=eidCertificationAuthority

ldap://10.1.1.1:389/cn=XXX%20CA-02,%20o=Customer%20Networks?certificateRevocationlist?base?objectclass=eidCertificationAuthority

Our configuration is:

hostname xxx

domain-name yyy.dk

name 10.1.1.1 vpnca

ca generate rsa key 1024

ca identity vpncaid vpnca:/cgi-bin

ca configure vpncaid ra 1 20 crloptional

ca authenticate vpncaid

ca enrollment vpncaid abcdef

ca save all

The scep address (host:/cgi-bin) is because SmartTrusts implementation of the scep-protocol is implemented as a java servlet where the scep is called as http://host/cgi-bin/pkiclient.exe, and since the scep protocol automatically adds the pkiclient.exe it is not allowed to add this to the configuration (in the Pix, it would actually result in a call to http://host/cgi-bin//pkiclient.exe which not would work !)

The above configuration works fine, but when we will request the CRL the Pix will call the scep-implementation for the CRL (and in our configuration this will not work, since our CRL not will be requested correctly, this because of our configuration and the way the SmartTrust SCEP implementation works), so we would like the Pix to fetch the CRL directly from the LDAP directory.

We found that the "ca identity vpncaid" had the possibility to add the IP address of the LDAP server, but as soon as we add an IP-address here, the Pix doesn't request anything at all when we requests the CRL (using the "ca crl request vpncaid" command) - we used the cool new sniffer in the Pix 6.2 and this didn't register any traffic at all, neither to the SCEP server or to the LDAP directory, so my question is: can the Pix request the CRL directly from the LDAP directory or does it have to use the SCEP server ?

1 REPLY
New Member

Re: PIX ldap/crl problem

I don't see any way to configure this without SCEP.

299
Views
0
Helpful
1
Replies