Hello, I am trying to configure ocsp to serve revocations for certificates used by Cisco routers.
The certificates are typically installed in the router using configuration derived from http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_ocsp.htm and http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121sup/121csum1/121cssec/ssdinter.htm#1018150 crypto pki trustpoint mytrustpoint enrollment retry period 5 enrollment mode ra enrollment url http://host.domain/path_to_cgi usage ike revocation-check ocsp ocsp url http://1.2.3.4:1234 If I do not perform any revocation check, the IPSec tunnel comes up. As soon as I perform revocation checks, it no longer does. If I extract the certificates from the router NVRAM, copy them to a file and test them using OpenSSL, here is what I get: $ openssl x509 -inform DER -outform PEM -in ./cert1.cer -out ./cert1.pem $ openssl ocsp -url http://1.2.3.4:1234 -VAfile ./ocspd_cert.pem \ -CAfile ./testca.crt -issuer ./testca.crt -cert ./cert1.pem Response verify OK ./cert1.pem: good This Update: Jul 20 22:18:22 2005 GMT Next Update: Jul 21 14:26:40 2005 GMT $ openssl x509 -inform DER -outform PEM -in ./cert2.cer -out ./cert2.pem $ openssl ocsp -url http://1.2.3.4:1234 -VAfile ./ocspd_cert.pem \ -CAfile ./testca.crt -issuer ./testca.crt -cert ./cert2.pem Response verify OK ./cert2.pem: good This Update: Jul 20 22:18:22 2005 GMT Next Update: Jul 21 14:28:12 2005 GMT If I revoke one of the certificates in the CA and get it to publish the CRL to the LDAP server, here is what I get: $ openssl ocsp -url http://1.2.3.4:1234 -VAfile ./ocspd_cert.pem \ -CAfile ./testca.crt -issuer ./testca.crt -cert ./cert1.pem Response verify OK ./cert1.pem: revoked This Update: Jul 21 14:43:12 2005 GMT Next Update: Jul 21 14:57:12 2005 GMT Reason: keyCompromise Revocation Time: Jul 21 14:43:10 2005 GMT So... My certificates look good, OpenSSL as an OCSP client seems happy, but not the Cisco IOS... Anybody with experience on that matter? Thanks -- Guillaume Tamboise "First they ignore you, then they laugh at you, then they fight you, then you win." -- Gandhi ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
