Configuring CRL Options

This section teaches you how to configure CRL checking on the Cisco ASA. You can configure the Cisco ASA to do any of the following:

  • Not require CRL checking
  • Optionally accept the peer's certificate if the security appliance is not able to retrieve the CRL
  • Require CRL checking

To bypass CRL checking, use the crl nocheck trustpoint subcommand.


Bypassing CRL checking is insecure and therefore is not recommended.

The crl optional subcommand allows the Cisco ASA to optionally accept its peer's certificate if the required CRL is not available.

Use the crl required subcommand to force the Cisco ASA to perform CRL checking. The CRL server must be reachable and available in order for a peer certificate to be validated. After this command is enabled, you must configure the CRL parameters. To configure the CRL options, use the crl configure trustpoint subcommand. After invoking this command, you will be placed in the ca-crl prompt, as shown in Example 17-13.

Example 17-13. The crl configure Subcommand

Chicago(config)# crypto ca trustpoint CISCO

Chicago(ca-trustpoint)# crl required

Chicago(ca-trustpoint)# crl configure


Table 17-2 lists all the CRL configuration options.

Table 17-2. crl configure Configuration Options




Used to configure the refresh time (in minutes) for the CRL cache. The range is from 1 to 1440 minutes. The default value is 60 minutes.


Returns all the options to the default value.


Used to define how to handle the NextUpdate CRL field. If this option is configured, CRLs are required to have a NextUpdate field that has not yet lapsed.


Used to define the default LDAP server and port to use if the distribution point extension of the certificate being checked is missing these values.


Used to configure the Login DN and password which defines is used to access the CRL database.


Used to configure the CRL retrieval policy. The following options are available:

both The Cisco ASA use the CRL distribution points from the certificate being checked, or else uses static distribution points.

cdp The Cisco ASA uses the CRL distribution points from the certificate being checked.

static The Cisco ASA uses statically configured URLs.


The protocol used for CRL retrieval. The options are http, ldap, and scep.


A static URL for the site from which CRLs may be retrieved. You can specify up to five URLs. An index value is used to determine the rank of the configured URL.

Example 17-14 demonstrates how to configure CRL checking and the use of several of the previous options.

Example 17-14. CRL Checking Example

crypto ca trustpoint CISCO

 crl required

 enrollment retry count 3

 enrollment url


crl configure

 policy static

 url 1 ldap://

 url 2 ldap://

 url 3 ldap://

In Example 17-14, a Cisco ASA is configured to require CRL checking with the crl required trustpoint subcommand. The Cisco ASA has three CRL servers statically defined. LDAP is used as the transport protocol.


Make sure to configure a domain name server on the Cisco ASA when using FQDN for CRL distribution points. Use the dns name-server ip-address command to specify the domain name server to be used.

The Cisco ASA will first try the CRL server named Subsequently, it will try and, in that order, as shown in Figure 17-5.

Figure 17-5. CRL Checking Example

You can manually request the retrieval of the CRL by using the crypto ca crl request command. Example 17-15 demonstrates how to manually retrieve the CRL.

Example 17-15. CRL Manual Retrieval

Chicago(config)# crypto ca crl request CISCO

CRL received

The CRL is received successfully. To view the CRL, use the show crypto ca crls command, as demonstrated in Example 17-16.

Example 17-16. Output of show crypto ca crls Command

Chicago# show crypto ca crls

CRL Issuer Name:


 LastUpdate: 14:18:11 UTC Sep 10 2004

 NextUpdate: 02:38:11 UTC Sep 18 2004

 Retrieved from CRL Distribution Point:

The first and second shaded lines in Example 17-16 show when the last CRL update took place and when the next one will be. The third shaded line shows the URL of the CRL distribution point.

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon © 2008-2017.
If you may any questions please contact us: