Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring crl when using certificates for vpn connection

Dear all,

i have established a successfull Hub&Spoke DMVPN connection between routers, but i'm not using a pre-shared key, i'm using a certificates that i could enroll from a CA server where i installed mscep.

My configuration worked when i had put

"revocation-check none"

now i need to use the crl, anyone can advice on that pls..

crypto pki trustpoint CASrv1

enrollment mode ra

enrollment url http://192.168.1.11:80/certsrv/mscep/mscep.dll

serial-number

revocation-check none

3 REPLIES

Re: Configuring crl when using certificates for vpn connection

You need to check that your CA server has CRL publishing enabled, if the Hub is unable to contact the CRL server and download the List, then it will not accept the connection. To test you can set the revocation to optional while troubleshooting why your crl is not coming down.

As a configuration, you need to make sure that your CRL link is reachable via your selected protocol. For example, your CA server when giving you your certificate gives you as well your CDP distribution point, usually that url contains the hostname of your CA server and if this server is not found my name resolution then your router will not be able to find it.

New Member

Re: Configuring crl when using certificates for vpn connection

"As a configuration, you need to make sure that your CRL link is reachable via your selected protocol"

how can i know the url of crl link since it arriveswith the certificate as i understood

and do i hve any added configuration on my router, other than changing the revocation-list value ???

Re: Configuring crl when using certificates for vpn connection

You can modify the value with the cdp-url configuration under the CRL mode of your router.

270
Views
0
Helpful
3
Replies
CreatePlease login to create content