Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CRL for PKI is not published

I've got simple lab for testing PKI:

198.0.0.1 - server

ip http server
ip http port 8080
ntp master 1

crypto key generate rsa general-keys label MAIN-CA modulus 1024 exportable

crypto pki server MAIN-CA
 database url nvram:
 issuer-name CN=MAIN-CA.lab.local L=BLG C=RU
 lifetime ca-certificate 365
 lifetime certificate 365
 lifetime crl 24
 cdp-url http://198.0.0.1:8080/main-ca.cdp.main-ca.crl
 no shutdown

198.0.0.2 and 3 - clients (I want encrypted tunnel between them)

ntp server 198.0.0.1

crypto key generate rsa general-keys label CLIENT-CA modulus 1024

crypto ca trustpoint CLIENT-CA
 enrollment url http://198.0.0.1:8080
 revocation-check none
 rsakeypair CLIENT-CA
crypto ca authenticate CLIENT-CA
crypto ca enroll CLIENT-CA

crypto isakmp policy 1
 encr aes
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec profile CRYPTO-PROFILE
set transform-set AES256-SHA

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 198.0.0.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CRYPTO-PROFILE

Then I do

crypto pki server MAIN-CA grant 1
crypto pki server MAIN-CA grant 2

And everything if fine when clients are like this:

crypto ca trustpoint CLIENT-CA
 revocation-check none

But when I do

 revocation-check crl

I got messages (debug crypto pki transactions):

Jul  1 14:33:40.280: CRYPTO_PKI: Trust-Point CLIENT-CA picked up
Jul  1 14:33:40.280: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul  1 14:33:40.280: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul  1 14:33:40.280: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul  1 14:33:40.468: CRYPTO_PKI: Found a issuer match
Jul  1 14:33:40.480: CRYPTO_PKI: Retreive CRL using HTTP URI
Jul  1 14:33:40.480: CRYPTO_PKI: status = 0: poll CRL
Jul  1 14:33:40.484: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul  1 14:33:40.484: CRYPTO_PKI: can not resolve server name/IP address
Jul  1 14:33:40.484: CRYPTO_PKI: Using unresolved IP Address 198.0.0.1
Jul  1 14:33:40.512: CRYPTO_PKI: http connection opened
Jul  1 14:33:40.516: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul  1 14:33:40.516: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul  1 14:33:40.584: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul  1 14:33:40.584: CRYPTO_PKI: HTTP response header:
 HTTP/1.1 404 Not Found
Date: Tue, 01 Jul 2014 14:33:40 GMT
Server: cisco-IOS
Accept-Ranges: none

Jul  1 14:33:40.588: E ../cert-c/source/crlobj.c(384) : Error #705h
Jul  1 14:33:40.592: CRYPTO_PKI: status = 1797: failed to set crl ber
Jul  1 14:33:40.592: CRYPTO_PKI: transaction Unknown completed
Jul  1 14:33:40.592: CRYPTO_PKI: Poll CRL callback
Jul  1 14:33:40.592: CRYPTO_PKI:  Blocking chain verification callback received status: 105
Jul  1 14:33:40.596: CRYPTO_PKI: Certificate not validated
Jul  1 14:33:40.600: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 198.0.0.2       is bad: certificate invalid

So... what's wrong?

Everyone's tags (1)
9 REPLIES
VIP Green

Strange...are you running

Strange...are you running this in a lab with physical equipment or is this in a GNS3 virtual lab?  If it is a virtual lab then I suggest copying out your config and then rebuild your setup and see if that helps.

Other than that, your config looks fine.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Didn't help. It was GNS, then

Didn't help. It was GNS, then I copied it on physical devices and nothing changed. I'm still getting 404. Also I checked

show crypto pki crls

and I'm getting blank, and:

R2(config)#crypto pki crl request CLIENT-CA
Jul  3 17:09:50.059: %PKI-4-CRLHTTPFETCHFAIL: CRL Request for trustpoint "CLIENT-CA" returned 404 Not Found

It seems I'm doing something wrong...

 

VIP Green

do you get any output from

do you get any output from the following command on the CA server?

crypto pki server ese-ios-ca info crl

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

#crypto pki server MAIN-CA

#crypto pki server MAIN-CA info crl
Certificate Revocation List:
    Issuer: cn=MAIN-CA.lab.local L\=BLG C\=RU
    This Update: 06:17:02 UTC Jul 4 2014
    Next Update: 07:17:02 UTC Jul 4 2014
    Number of CRL entries: 0
    CRL size: 238 bytes

And when I revoked one of the granted certificates, I got:

#crypto pki server MAIN-CA info crl
Certificate Revocation List:
    Issuer: cn=MAIN-CA.lab.local L\=BLG C\=RU
    This Update: 06:23:41 UTC Jul 4 2014
    Next Update: 07:23:41 UTC Jul 4 2014
    Number of CRL entries: 1
    CRL size: 261 bytes
Revoked Certificates:
    Serial Number: 0x01
    Revocation Date: 06:23:41 UTC Jul 4 2014

So revokation list is fine. But noone can get it.

 

VIP Green

hmm...odd.I would need to lab

hmm...odd.

I would need to lab your setup to see what results I get.  Will try to do that tonight.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Ok, found it. Kind of typo.

Ok, found it. Kind of typo. Don't remember where I get it but this part of client's config wrong:

crypto ca trustpoint CLIENT-CA
 enrollment url http://198.0.0.1:8080
 revocation-check none
 rsakeypair CLIENT-CA
crypto ca authenticate CLIENT-CA
crypto ca enroll CLIENT-CA

it should be like this:

crypto pki trustpoint CLIENT-CA
 enrollment url http://198.0.0.1:8080
 revocation-check none
 rsakeypair CLIENT-CA
crypto pki authenticate CLIENT-CA
crypto pki enroll CLIENT-CA

 

Anyway, thanks for helping.

VIP Green

Nice! glad you got it sorted

Nice! glad you got it sorted smiley

--

Please remember to rate and select a correct answer
New Member

Nope. That wasn't the cause

Nope. That wasn't the cause.

Now it works in both variants - with "crypto pki" and "crypto ca". Don't know why. It... just started to work. I did the same steps and get HTTP 200 OK.

So... I'll post if I find out something new.

New Member

I've finally got the exact

I've finally got the exact steps for my error to appear. All configs are the same. So I'm creating pki server and trustpoint on client. Then I authenticate and enroll. At this moment I can see client's request on server:

#crypto pki server MAIN-CA info requests

Enrollment Request Database:
Subordinate CA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
1      pending    4B8AF9BDD3E6D3ED59AED4CF0C8100CB hostname=client.lab.local

And also at this moment I can successfully request CRL on client:

#crypto pki crl request CLIENT-CA

Then I do

#crypto pki server MAIN-CA grant 1

I still can request CRL. But when I get this debug on client (debug crypto pki transactions), I'm start getting 404 errors:

Jul 11 18:54:00.933: CRYPTO_PKI: resend GetCertInitial, 2
Jul 11 18:54:00.933: CRYPTO_PKI: All sockets are closed for trustpoint CLIENT-CA.
Jul 11 18:54:00.933: CRYPTO_PKI: resend GetCertInitial for session: 0
Jul 11 18:54:00.937: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul 11 18:54:00.937: CRYPTO_PKI: can not resolve server name/IP address
Jul 11 18:54:00.937: CRYPTO_PKI: Using unresolved IP Address 198.0.0.1
Jul 11 18:54:00.997: CRYPTO_PKI: http connection opened
Jul 11 18:54:02.001: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul 11 18:54:02.081: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul 11 18:54:02.273: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul 11 18:54:02.273: CRYPTO_PKI:  received msg of 1680 bytes
Jul 11 18:54:02.277: CRYPTO_PKI: HTTP response header:
 HTTP/1.1 200 OK
Date: Fri, 11 Jul 2014 18:54:02 GMT
Server: cisco-IOS
Content-Type: application/x-pki-message
Expires: Fri, 11 Jul 2014 18:54:02 GMT
Last-Modified: Fri, 11 Jul 2014 18:54:02 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Accept-Ranges: none

Jul 11 18:54:02.337: The PKCS #7 message has 1 verified signers.
Jul 11 18:54:02.337: signing cert: issuer=cn=MAIN-CA.lab.local L\=BLG C\=RU1
Jul 11 18:54:02.337: Signed Attributes:

Jul 11 18:54:02.337: CRYPTO_PKI: status = 100: certificate is granted
Jul 11 18:54:02.389: The PKCS #7 message contains 1 certs and 0 crls.
Jul 11 18:54:02.401: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment
Jul 11 18:54:02.401: Newly-issued Router Cert: issuer=cn=MAIN-CA.lab.local L\=BLG C\=RU serial=2
Jul 11 18:54:02.401: start  date: 18:53:42 UTC Jul 11 2014
Jul 11 18:54:02.401: end    date: 18:50:24 UTC Jul 11 2015
Jul 11 18:54:02.401: Router date: 18:54:02 UTC Jul 11 2014
Jul 11 18:54:02.401: Received router cert from CA
Jul 11 18:54:02.401: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment
Jul 11 18:54:02.409: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment
Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.
Jul 11 18:54:02.409: %PKI-6-CERTRET: Certificate received from Certificate Authority
Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.
Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.
Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.

So as soon as the enrollment is complete and certificate if recieved I can no longer request CRL.

 

And I'm still need help with this.

862
Views
0
Helpful
9
Replies
CreatePlease login to create content