Hello guys, Have been doing some PKI stuff to refresh my knowledge on this subject and came across an interesting point. What if the CA should provide the CRL url to non-SCEP clients? The URL for this type is provided by Cisco their guide.
cdp-url http://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL My question to anyone who tried to enter this URL. My router doesn't accept "?" at all. How are we supposed to configure it? This is what I end up with when enter cdp-url: R2(cs-server)#cdp-url http://8.9.50.2/cgi-bin/pkiclient.exe? WORD Secondly, I heard people couldn't access Cisco documentation for some weird reasons during the lab exam. I won't be able to remember this URL after about a month from now. Your comments ? Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: 06 August 2011 22:42 To: Bruno Cc: CCIE Security Maillist Subject: Re: [OSL | CCIE_Security] Certificate Authority If you are enrolled with IOS CA server and the client, support SCEP, then it will use SCEP to retrieve the CDP url. If the client doesn't support SCEP, then use the following url cdp-url http://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1193934 If you have PKI clients that are not running Cisco IOS software and that do not support a SCEP GetCRL request and wish to use a CDP you may set up an external server to distribute CRLs and configure the CDP to point to that server. Or, you can specify a non-SCEP request for the retrieval of the CRL from the certificate server by specifying the cdp-url command with the URL in the following format where cs-addr is the location of the certificate server: cdp-url http://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL With regards Kings On Sat, Aug 6, 2011 at 7:22 PM, Bruno <[email protected]<mailto:[email protected]>> wrote: Mainly 2 simple question I think 1) If we are told to set up CA server with CDP for clients which support SCEP, should I do the following? cdp-url http://my-cdp.company.com/filename.crl 2) After restoring a CA server, supposing we are asked to change the Issuer-name, is that possible? (This question came up after some ipx lab which task was to restore and after restore to set up a different issuer-name. Answer shows this but I tried many times and couldn't change it) thanks in advance -- Bruno Fagioli Cisco Security Professional _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
