By default, CRLs are issued once every 168 hours (1 calendar week). To specify a value other than the default value for issuing the CRL, execute the lifetime crl command. After the CRL is issued, it is written to the specified database location as ca-label.crl, where ca-label is the name of the certificate server.
CRLs can be distributed through SCEP, which is the default method, or a CRL distribution point (CDP), if configured and available. If you set up a CDP, use the cdp-urlcommand to specify the CDP location. If the cdp-url command is not specified, the CDP certificate extension is not included in the certificates that are issued by the certificate server. If the CDP location is not specified, Cisco IOS PKI clients automatically request a CRL from the certificate server with a SCEP GetCRL message. The CA then returns the CRL in a SCEP CertRep message to the client. Because all SCEP messages are enveloped and signed PKCS#7 data, the SCEP retrieval of the CRL from the certificate server is costly and not highly scalable. In very large networks, an HTTP CDP provides better scalability and is recommended if you have many peer devices that check CRLs. You may specify the CDP location by a simple HTTP URL string for example,
cdp-url http://my-cdp.company.com/filename.crl
The certificate server supports only one CDP; thus, all certificates that are issued include the same CDP.
If you have PKI clients that are not running Cisco IOS software and that do not support a SCEP GetCRL request and wish to use a CDP you may set up an external server to distribute CRLs and configure the CDP to point to that server. Or, you can specify a non-SCEP request for the retrieval of the CRL from the certificate server by specifying the cdp-url command with the URL in the following format where cs-addr is the location of the certificate server:
cdp-url http://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL
Note |
If your Cisco IOS CA is also configured as your HTTP CDP server, specify your CDP with the cdp-urlhttp://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL command syntax.
|
It is the responsibility of the network administrator to ensure that the CRL is available from the location that is specified through the cdp-url command.
In order to force the parser to retain the embedded question mark within the specified location, enter Ctrl-v prior to the question mark. If this action is not taken, CRL retrieval through HTTP returns an error message.
The CDP location may be changed after the certificate server is running through the cdp-url command. New certificates contain the updated CDP location, but existing certificates are not reissued with the newly specified CDP location. When a new CRL is issued, the certificate server uses its current cached CRL to generate a new CRL. (When the certificate server is rebooted, it reloads the current CRL from the database.) A new CRL cannot be issued unless the current CRL has expired. After the current CRL expires, a new CRL is issued only after a certificate is revoked from the CLI.