>From where did you get that url? I see the same url in that link that I sent you before. I guess, that's just a sample url.
Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1193934 Certificate Revocation Lists (CRLs) By default, CRLs are issued once every 168 hours (1 calendar week). To specify a value other than the default value for issuing the CRL, execute the *lifetime crl* command. After the CRL is issued, it is written to the specified database location as *ca-label.*crl, where *ca-label* is the name of the certificate server. CRLs can be distributed through SCEP, which is the default method, or a CRL distribution point (CDP), if configured and available. If you set up a CDP, use the *cdp-url *command to specify the CDP location. If the *cdp-url*command is not specified, the CDP certificate extension is not included in the certificates that are issued by the certificate server. If the CDP location is not specified, Cisco IOS PKI clients automatically request a CRL from the certificate server with a SCEP GetCRL message. The CA then returns the CRL in a SCEP CertRep message to the client. Because all SCEP messages are enveloped and signed PKCS#7 data, the SCEP retrieval of the CRL from the certificate server is costly and not highly scalable. In very large networks, an HTTP CDP provides better scalability and is recommended if you have many peer devices that check CRLs. You may specify the CDP location by a simple HTTP URL string for example, *cdp-url* http://my-cdp.company.com/filename.crl With regards Kings On Sun, Aug 7, 2011 at 6:27 PM, Bruno <[email protected]> wrote: > So, when will we use this: > > *cdp-url* http://my-cdp.company.com/filename.crl > > > On Sun, Aug 7, 2011 at 2:41 AM, Kingsley Charles < > [email protected]> wrote: > >> If you are enrolled with IOS CA server and the client, support SCEP, then >> it will use SCEP to retrieve the CDP url. >> >> If the client doesn't support SCEP, then use the following url >> >> *cdp-url* http://*cs-addr*/cgi-bin/pkiclient.exe?operation=GetCRL >> >> Snippet from >> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1193934 >> >> If you have PKI clients that are not running Cisco IOS software and that >> do not support a SCEP GetCRL request and wish to use a CDP you may set up an >> external server to distribute CRLs and configure the CDP to point to that >> server. Or, you can specify a non-SCEP request for the retrieval of the CRL >> from the certificate server by specifying the *cdp-url* command with the >> URL in the following format where *cs-addr* is the location of the >> certificate server: >> >> *cdp-url* http://*cs-addr*/cgi-bin/pkiclient.exe?operation=GetCRL >> >> >> >> With regards >> Kings >> >> On Sat, Aug 6, 2011 at 7:22 PM, Bruno <[email protected]> wrote: >> >>> Mainly 2 simple question I think >>> >>> 1) If we are told to set up CA server with CDP for clients which support >>> SCEP, should I do the following? >>> *cdp-url* http://my-cdp.company.com/filename.crl >>> >>> 2) After restoring a CA server, supposing we are asked to change the >>> Issuer-name, is that possible? (This question came up after some ipx lab >>> which task was to restore and after restore to set up a different >>> issuer-name. Answer shows this but I tried many times and couldn't change >>> it) >>> >>> thanks in advance >>> >>> -- >>> Bruno Fagioli >>> Cisco Security Professional >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> > > > -- > Bruno Fagioli > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
