Certificates and certificate revocation lists (CRLs) are used by your device when a CA is used. Normally certain certificates
and all CRLs are stored locally in the NVRAM of the device, and each certificate and CRL uses a moderate amount of memory.
The following certificates are normally stored at your device:
Certificate of your device.
Certificate of the CA
Root certificates obtained from CA servers (all root certificates are saved in RAM after the device has been initialized)
Two registration authority (RA) certificates (only if the CA supports an RA)
CRLs are normally stored at your device according to the following conditions:
If your CA does not support an RA, only one CRL gets stored in the device.
If your CA supports an RA, multiple CRLs can be stored in the device.
In some cases, storing these certificates and CRLs locally will not present any difficulty. In other cases, memory might become
a problem—particularly if the CA supports an RA and a large number of CRLs have to be stored on the device. If the NVRAM is
too small to store root certificates, only the fingerprint of the root certificate is saved.
To save NVRAM space, specify that certificates and CRLs should not be stored locally, but should be retrieved from the CA
when needed. This alternative will save NVRAM space but could result in a slight performance impact. To specify that certificates
and CRLs should not be stored locally on your device, but should be retrieved when required, enable query mode.
If you do not enable query mode now, you can do it later even if certificates and CRLs have are already stored on the device.
In this case, when you enable query mode, the stored certificates and CRLs are deleted from the device after you save the
configuration. (If you copy the configuration to a TFTP site prior to enabling query mode, you can save any stored certificates
and CRLs at the TFTP site.)
Before disabling query mode, perform the copy system:running-config nvram:startup-config command to save all current certificates and CRLs to NVRAM. Otherwise they could be lost during a reboot.
To specify that certificates and CRLs should not be stored locally on your device, but should be retrieved when required,
enable query mode by using the following command in global configuration mode:
Query mode may affect availability if the CA is down.