This document describes how to enable certificate revocation list (CRL)
checking for certification authority (CA) certificates installed in the Cisco
VPN 3000 Concentrator using HTTP mode.
A certificate is normally expected to be valid for its entire validity
period. However, if a certificate becomes invalid due to such things as a name
change, change of association between the subject and the CA, and security
compromise, the CA revokes the certificate. Under X.509, CAs revoke
certificates by periodically issuing a signed CRL, where each revoked
certificate is identified by its serial number. Enabling CRL checking means
that every time the VPN Concentrator uses the certificate for authentication,
it also checks the CRL to ensure that the certificate being verified has not
CAs use Lightweight Directory Access Protocol (LDAP)/HTTP databases to
store and distribute CRLs. They might also use other means, but the VPN
Concentrator relies on LDAP/HTTP access.
HTTP CRL checking is introduced in VPN Concentrator version 3.6 or
later. However, LDAP-based CRL checking was introduced in the earlier 3.x
releases. This document only discusses CRL checking using HTTP.
Note: The CRL cache size of VPN 3000 Series Concentrators depends on the
platform and it cannot be configured according to the wish of the
Ensure that you meet these requirements before you attempt this
You have successfully established the IPsec tunnel from the VPN 3.x
Hardware Clients using certificates for Internet Key Exchange (IKE)
authentication (with no CRL checking enabled).
Your VPN Concentrator has connectivity to the CA server at all
If your CA server is connected out to the public interface, then you
have opened necessary rules in the public (default) filter.
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the Cisco Technical Tips
Conventions for more information on document conventions.
This document uses this network setup:
Complete these steps to configure the VPN 3000 Concentrator:
Select Administration > Certificate
Management to request a certificate if you do not have a
Select Click here to install a certificate to
install the root certificate on the VPN Concentrator.
Select Install CA certificate.
Select SCEP (Simple Certificate Enrollment
Protocol) to retrieve the CA certificates.
From the SCEP window, enter the complete URL of the CA server in
the URL dialog box.
In this example, the CA server's IP address is 172.18.124.96. Since
this example uses Microsoft's CA server, the complete URL is
http://172.18.124.96/certsrv/mscep/mscep.dll. Next, enter a one-word descriptor
in the CA Descriptor dialog box. This example uses
Your CA certificate should appear under the Administration >
Certificate Management window. If you do not see a certificate, go back to Step
1 and follow the procedure again.
Once you have the CA certificate, select
Administration > Certificate Management
> Enroll, and click Identity
Click Enroll via SCEP at ... to apply for the
Complete these steps to fill out the Enrollment form:
Enter the common name for the VPN Concentrator to be used in the
public-key infrastructure (PKI) in the Common Name (CN)
Enter your department in the Organizational Unit (OU) field. The
OU should match the configured IPsec group name.
Enter your organization or company in the Organization (O)
Enter your city or town in the Locality (L)
Enter your state or province in the State/Province (SP)
Enter your country in the Country (C) field.
Enter the Fully Qualified Domain Name (FQDN) for the VPN
Concentrator to be used in the PKI in the Fully Qualified Domain Name (FQDN)
Enter the email address for the VPN Concentrator to be used in
the PKI in the Subject Alternative Name (email Address)
Enter the challenge password for the certificate request in the
Challenge Password field.
Re-enter the challenge password in the Verify Challenge Password
Select the key size for the generated RSA key pair from the Key
Size drop-down list.
Select Enroll and view the SCEP status in the
Go to your CA server to approve the identity certificate. Once it
is approved on the CA server, your SCEP status should be
Under Certificate Management, you should see your Identity
If you do not, check the logs on your CA server for more
Select View on your received certificate to see if
your certificate has a CRL Distribution Point (CDP).
CDP lists all CRL distribution points from the issuer of this
certificate. If you have CDP on your certificate, and you use a DNS name to
send a query to the CA server, make sure that you have DNS servers defined in
your VPN Concentrator to resolve the hostname with an IP address. In this case,
the example CA server's host name is jazib-pc which resolves to an IP address
of 172.18.124.96 on the DNS server.
Click Configure on your CA certificate to enable
CRL checking on the received certificates.
If you have CDP on your received certificate and you would like to
use it, then select Use CRL distribution points from the certificate
Since the system has to retrieve and examine the CRL from a network
distribution point, enabling CRL checking might slow system response times.
Also, if the network is slow or congested, CRL checking might fail. Enable CRL
caching to mitigate these potential problems. This stores the retrieved CRLs in
local volatile memory and therefore allows the VPN Concentrator to verify the
revocation status of certificates more quickly.
With CRL caching enabled, the VPN Concentrator first checks whether
the required CRL exists in the cache and checks the serial number of the
certificate against the list of serial numbers in the CRL when it needs to
check the revocation status of a certificate. The certificate is considered
revoked if its serial number is found. The VPN Concentrator retrieves a CRL
from an external server either when it does not find the required CRL in the
cache, when the validity period of the cached CRL has expired, or when the
configured refresh time has elapsed. When the VPN Concentrator receives a new
CRL from an external server, it updates the cache with the new CRL. The cache
can contain up to 64 CRLs.
Note: The CRL cache exists in memory. Therefore, rebooting the VPN
Concentrator clears the CRL cache. The VPN Concentrator repopulates the CRL
cache with updated CRLs as it processes new peer authentication requests.
If you select Use static CRL distribution points,
then you can use up to five static CRL distribution points, as specified on
this window. If you choose this option, you must enter at least one URL.
You can also select Use CRL distribution points from the
certificate being checked, or select Use static CRL
distribution points. If the VPN Concentrator cannot find five CRL
distribution points in the certificate, it adds static CRL distribution points,
up to a limit of five. If you choose this option, enable at least one CRL
Distribution Point Protocol. You also must enter at least one (and no more than
five) static CRL distribution points.
Select No CRL Checking if you want to disable CRL
Under CRL Caching, select the Enabled box to allow
the VPN Concentrator to cache retrieved CRLs. The default is not to enable CRL
caching. When you disable CRL caching (unselect the box), the CRL cache is
If you configured a CRL retrieval policy that uses CRL distribution
points from the certificate being checked, choose a distribution point protocol
to use to retrieve the CRL. Choose HTTP in this case to
retrieve the CRL. Assign HTTP rules to the public interface filter if your CA
server is towards the public interface.
Select Administration > Certificate
Management and click on View All CRL caches to see if
your VPN Concentrator has cached any CRLs from the CA server.
This section provides information you can use to confirm your
configuration works properly.
Enable these events on the VPN Concentrator in order to make sure that
CRL checking works.
Select Configuration > System
> Events > Classes to set the logging
Under Class Name select either IKE,
IKEDBG, IPSEC, IPSECDBG, or
Click either Add or Modify, and
choose Severity to Log option 1-13.
Click Apply if you want to modify, or
Add if you want to add a new entry.
If your CRL checking is successful, these messages are seen in
Filterable Event Logs.
1315 08/15/2002 13:11:23.520 SEV=7 CERT/117 RPT=1
The requested CRL was found in cache.
The CRL Distribution point is: http://jazib-pc/CertEnroll/jazib-ca-ra.crl
1317 08/15/2002 13:11:23.520 SEV=8 CERT/46 RPT=1
CERT_CheckCrl(62f56e8, 0, 0)
1318 08/15/2002 13:11:23.520 SEV=7 CERT/2 RPT=1
Certificate has not been revoked: session = 2
1319 08/15/2002 13:11:23.530 SEV=8 CERT/50 RPT=1
CERT_Callback(62f56e8, 0, 0)
1320 08/15/2002 13:11:23.530 SEV=5 IKE/79 RPT=2 220.127.116.11
Validation of certificate successful
Concentrator Logs for the complete output of a successful concentrator
If your CRL checking in not successful, these messages are seen in the
Filterable Event Logs.
1332 08/15/2002 18:00:36.730 SEV=7 CERT/6 RPT=2
Failed to retrieve revocation list: session = 5
1333 08/15/2002 18:00:36.730 SEV=7 CERT/114 RPT=2
CRL retrieval over HTTP has failed. Please make sure that proper filter rules
have been configured.
1335 08/15/2002 18:00:36.730 SEV=7 CERT/8 RPT=2
Error processing revocation list: session = 5, reason = Failed to retrieve CRL
from the server.
Concentrator Logs for the complete output of a failed concentrator log.
Client Logs for the complete output of a successful client log.
Client Logs for the complete output of a failed client log.
Connection Problems on the VPN 3000 Concentrator for more