Preview Tool

Cisco Bug: CSCus54238 - PKI "revocation check crl none" does not fallback if CRL not available

Last Modified

Aug 15, 2017

Products (96)

  • Cisco IOS
  • Cisco 898 Secure G.SHDSL EFM/ATM with Multi-Mode 4G LTE ISR Router
  • Cisco 892W Integrated Services Router
  • Cisco 1905 Serial Integrated Services Router
  • Cisco 861W Integrated Services Router
  • Cisco 2951 Integrated Services Router
  • Cisco VG204XM Analog Voice Gateway
  • Cisco 888W Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco 886VAG 3G Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.4(3)M1 15.4(3)S1.1

Description (partial)

Certificate validation fails when the CRL is not available, even though the trustpoint revocation setting is:

"revocation-check crl none".

The validation check does not fallback to "none".

PKI hierarchy - Root CA -> Intermediate CA -> Router.

Intermediate trustpoint on the router configured with "chain-validation continue Root-CA"


crypto pki trustpoint Intermediate
 enrollment url
 chain-validation continue Root-CA
 revocation-check crl none

crypto pki trustpoint Root-CA
 enrollment url
 revocation-check crl none

Root-CA CRL is not available - not in cache, SCEP not reachable, CDP URL not reachable.

Upgrade to 15.4(3)M1
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.