I have configured a Cisco VPN 3005 concentrator to use digital certificate authentication successfully with openssl. However, whenever I configure the concentrator to read the CRL file via http, I receive a Certificate validation failure and the VPN client fails to connect. I am using the same CA that is configured on the concentrator to generate the CRL, and the certificate on the client has not been revoked.
I am running a Red Hat 8.0 server with OpenSSL 0.9.6b. I generated the CRL using the following command : openssl ca -gencrl -keyfile private/cakey.pem -cert cacert.pem -out crlfile.crl I have verified that the concentrator can access this file. (Removing read permissions from the file results in an access error on the concentrator.) The error log entries are as follows: 351 11/22/2004 15:21:23.850 SEV=5 CERT/116 RPT=18 Requesting CRL using HTTP. The HTTP URL is: http://192.168.1.98/crl/crlfile.crl 352 11/22/2004 15:21:23.860 SEV=4 IKE/80 RPT=18 66.123.111.19 Group [VPNClient] Certificate validation failure, Successful (CN=ClientTest, SN=06) 354 11/22/2004 15:21:23.870 SEV=5 IKE/194 RPT=19 66.123.111.19 Group [VPNClient] Sending IKE Delete With Reason message: No Reason Provided. Is there something different that I have to do to create a valid CRL that meets industry standards? The VPN client can connect successfully if the concentrator is not configured to perform CRL checking. Any help would be greatly appreciated. Rich Faulk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
