Cisco ASA Certificate Revocation Checking


ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP.

Revocation checking using CRL:

Over HTTP:

ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check crl
ciscoasa(config-ca-crl)# protocol http

By default ASA will use address listed in CDP extension of the certificate that is being validated. To override default behaviour we need to add the following in the CRL configuration context.

ciscoasa(config-ca-crl)# policy static
ciscoasa(config-ca-crl)# url 1 http://cdpurl.kp.local/crl.crl


Over LDAP:

Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static"  to specify LDAP URL where CRL can be retrieved. 

ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check crl
ciscoasa(config-ca-trustpoint)# crl configure
ciscoasa(config-ca-crl)# protocol ldap
ciscoasa(config-ca-crl)# policy static

ciscoasa(config-ca-crl)# url 1 ldap://dc1.kp.local/CN=IssuingCA-DC1,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=kp,DC=local/

ciscoasa(config-ca-crl)# ldap-dn CN=asacrl,OU=UsersRoot,DC=kp,DC=local password

ciscoasa(config-ca-crl)# ldap-defaults 10.0.0.7


Revocation checking using OCSP:

ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check ocsp
ciscoasa(config-ca-trustpoint)# ocsp url http://srv3.kp.local/ocsp


View CRL cache:


ciscoasa# show crypto ca crl

CRL Issuer Name:
    cn=IssuingCA-DC1,dc=kp,dc=local
    LastUpdate: 15:23:47 UTC Apr 11 2013
    NextUpdate: 03:43:47 UTC Apr 19 2013
    Cached Until: 14:54:45 UTC Apr 15 2013
    Retrieved from CRL Distribution Point:
      http://dc1.kp.local/pki/IssuingCA-DC1.crl
    Size (bytes): 716
    Associated Trustpoints: ASDM_TrustPoint0


Enable crypto transaction debugging:

ciscoasa# debug crypto ca transactions 10


Retrieve CRL: 


ciscoasa(config)#crypto ca crl request ASDM_TrustPoint0

CRYPTO_PKI: CRL is being polled from CDP http://dc1.kp.local/pki/IssuingCA-DC1.crl.

CRYPTO_PKI: HTTP response header:
 HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 11 Apr 2013 15:33:47 GMT
Accept-Ranges: bytes
ETag: "edeaef5c936ce1:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Mon, 15 Apr 2013 13:50:57 GMT
Connection: close
Content-Length: 716

CRYPTO_PKI: Found a subject match - inserting the following cert record into certList
CRYPTO_PKI: set CRL update timer with delay: 309171
CRYPTO_PKI: the current device time: 13:50:56 UTC Apr 15 2013

CRYPTO_PKI: the last CRL update time: 15:23:47 UTC Apr 11 2013
CRYPTO_PKI: the next CRL update time: 03:43:47 UTC Apr 19 2013
CRYPTO_PKI: CRL cache delay being set to: 3600000
CRYPTO_PKI: transaction HTTPGetCRL completed


Debug output of certificate validation using CRL:

CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="cn=ORCA1-CA" serial number=4d 00 00 00 02 92 4d ec 09 31 40 27 0b 00 00 00    
CRYPTO_PKI: Cerificate is resident.
CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.
CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe
CRYPTO_PKI: Verifying certificate with serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe, issuer_name: cn=IssuingCA-DC1,dc=kp,dc=local, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="cn=IssuingCA-DC1,dc=kp,dc=local" serial number=6d 00 00 00 07 5a 2d 9b 4f e8 e3 4d f7 00 00 00                                   |  ...

CRYPTO_PKI: Starting CRL revocation check.
CRYPTO_PKI: Attempting to find cached CRL for CDP http://dc1.kp.local/pki/IssuingCA-DC1.crl
CRYPTO_PKI: Found CRL in cache for CDP: http://dc1.kp.local/pki/IssuingCA-DC1.crl, status 0.
CRYPTO_PKI: Certificate is revoked!


Debug output of certificate validation using OCSP:


CRYPTO_PKI: Sorted chain size is: 2
CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="cn=ORCA1-CA" serial number=4d 00 00 00 02 92 4d ec 09 31 40 27 0b 00 00 00   
CRYPTO_PKI: Cerificate is resident.

CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.

CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe
CRYPTO_PKI: Verifying certificate with serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe, issuer_name: cn=IssuingCA-C1,dc=kp,dc=local, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="cn=IssuingCA-DC1,dc=kp,dc=local" serial number=6d00 00 00 07 5a 2d 9b 4f e8 e3 4d f7 00 00 00
CRYPTO_PKI: Verify cert is polling for revocation status.

CRYPTO_PKI: Starting OCSP revocation
CRYPTO_PKI: no responder matching this URL; create one!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: OCSP response status - unauthorized.
CRYPTO_PKI: transaction GetOCSP completed

No comments:

Post a Comment