Preview Tool

Cisco Bug: CSCus54238 - PKI "revocation check crl none" does not fallback if CRL not available

Last Modified

Nov 30, 2018

Products (96)

  • Cisco IOS
  • Cisco VG204XM Analog Voice Gateway
  • Cisco C897VA Integrated Services Router
  • Cisco C892FSP Integrated Services Router
  • Cisco 892W Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 888W Integrated Services Router
  • Cisco 898 Secure G.SHDSL EFM/ATM with Multi-Mode 4G LTE ISR Router
  • Cisco 881SRSTW Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.4(3)M1 15.4(3)S1.1

Description (partial)

Certificate validation fails when the CRL is not available, even though the trustpoint revocation setting is:

"revocation-check crl none".

The validation check does not fallback to "none".

PKI hierarchy - Root CA -> Intermediate CA -> Router.

Intermediate trustpoint on the router configured with "chain-validation continue Root-CA"


crypto pki trustpoint Intermediate
 enrollment url
 chain-validation continue Root-CA
 revocation-check crl none

crypto pki trustpoint Root-CA
 enrollment url
 revocation-check crl none

Root-CA CRL is not available - not in cache, SCEP not reachable, CDP URL not reachable.

Upgrade to 15.4(3)M1
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.