Preview Tool

Cisco Bug: CSCum14512 - CRL download for SUBCA resulting in signature verification failure

Last Modified

Oct 14, 2019

Products (25)

  • Cisco IOS
  • Cisco ASR 901-6CZ-FS-D Router
  • Cisco ASR 901-6CZ-F-D Router
  • Cisco ASR 901-4C-FT-D Router
  • Cisco ASR 901S-4SG-F-D Router
  • Cisco ME 3600X-24TS-M Switch
  • Cisco ASR 901S-2SG-F-D Router
  • Cisco ASR 901S-2SG-F-AH Router
  • Cisco ASR 901-6CZ-F-A Router
  • Cisco ASR 901-6CZ-FT-A Router
View all products in Bug Search Tool Login Required

Known Affected Releases


Description (partial)

The Router downloads the CRL file, however it will fail to make use of the CRL file with the following error:

CRYPTO_PKI: CRL verify has failed
%PKI-4-CRLINSERTFAIL: Trustpoint "SubCA-Trustpoint" failed to verify CRL signature (error 1872:E_PATH_NOT_FOUND : valid cert path not found (reason: %n0))

Cisco IOS acting as PKI Client, where we have a full chain : Root -> Sub-CA -> ID certificate by Sub-CA installed or a valid certificate chain; Sub-CA -> ID certificate by Sub-CA installed.

Here we are verifying the peer certificate issued by the Sub-CA by means of CRL
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.