Guest

Preview Tool

Cisco Bug: CSCus54238 - PKI "revocation check crl none" does not fallback if CRL not available

Last Modified

Nov 30, 2018

Products (96)

  • Cisco IOS
  • Cisco VG204XM Analog Voice Gateway
  • Cisco C897VA Integrated Services Router
  • Cisco C892FSP Integrated Services Router
  • Cisco 892W Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 888W Integrated Services Router
  • Cisco 898 Secure G.SHDSL EFM/ATM with Multi-Mode 4G LTE ISR Router
  • Cisco 881SRSTW Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.4(3)M1 15.4(3)S1.1

Description (partial)

Symptom:
Certificate validation fails when the CRL is not available, even though the trustpoint revocation setting is:

"revocation-check crl none".

The validation check does not fallback to "none".

Conditions:
PKI hierarchy - Root CA -> Intermediate CA -> Router.

Intermediate trustpoint on the router configured with "chain-validation continue Root-CA"

Example:

crypto pki trustpoint Intermediate
 enrollment url http://intermediate.example.com
 chain-validation continue Root-CA
 revocation-check crl none

crypto pki trustpoint Root-CA
 enrollment url http://Root-CA.example.com
 revocation-check crl none


Root-CA CRL is not available - not in cache, SCEP not reachable, CDP URL not reachable.

Upgrade to 15.4(3)M1
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.