Guest

Preview Tool

Cisco Bug: CSCvu05252 - DOC: Trustpoint URLs for CRL retrieval no longer supported after 9.13

Last Modified

May 26, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.13(1) 9.14(1)

Description (partial)

Symptom:
This bug is to reflect on our documentation that after 9.13 we removed the static URL configuration CLI, for example:
crypto ca trustpoint <tp_name>
 crl configure
  url 1 http://foo.com/crl.crl  << removed support for this

And replaced it with a certificate map match rule, for example:
crypto ca trustpoint CertSub2
 revocation-check crl
 enrollment terminal
 match certificate CertSub2 override cdp  10 url http://10.86.95.61/CertSub2.crl
 match certificate CertSub override cdp  20 url http://10.86.95.61/CertSub.crl
 match certificate CertRoot override cdp  30 url http://10.86.95.61/CertRoot.crl
 crl configure
  policy static
crypto ca certificate map CertSub2 10
 issuer-name co certsub2
crypto ca certificate map CertSub 10
 issuer-name co certsub.cisco.com
crypto ca certificate map CertRoot 10
 issuer-name co certroot

This allows specific CRLs to be used for each cert in the chain.

Conditions:
Running 9.13 or later
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.