ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP.
Revocation checking using CRL:
Over HTTP:
ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check crl
ciscoasa(config-ca-crl)# protocol http
By default ASA will use address listed in CDP extension of the certificate that is being validated. To override default behaviour we need to add the following in the CRL configuration context.
ciscoasa(config-ca-crl)# policy static
ciscoasa(config-ca-crl)# url 1 http://cdpurl.kp.local/crl.crl
Over LDAP:
Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static" to specify LDAP URL where CRL can be retrieved.
ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check crl
ciscoasa(config-ca-trustpoint)# crl configure
ciscoasa(config-ca-crl)# protocol ldap
ciscoasa(config-ca-crl)# policy static
ciscoasa(config-ca-crl)# url 1 ldap://dc1.kp.local/CN=IssuingCA-DC1,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=kp,DC=local/
ciscoasa(config-ca-crl)# ldap-dn CN=asacrl,OU=UsersRoot,DC=kp,DC=local password
ciscoasa(config-ca-crl)# ldap-defaults 10.0.0.7
Revocation checking using OCSP:
ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check ocsp
ciscoasa(config-ca-trustpoint)# ocsp url http://srv3.kp.local/ocsp
View CRL cache:
ciscoasa# show crypto ca crl
CRL Issuer Name:
cn=IssuingCA-DC1,dc=kp,dc=local
LastUpdate: 15:23:47 UTC Apr 11 2013
NextUpdate: 03:43:47 UTC Apr 19 2013
Cached Until: 14:54:45 UTC Apr 15 2013
Retrieved from CRL Distribution Point:
http://dc1.kp.local/pki/IssuingCA-DC1.crl
Size (bytes): 716
Associated Trustpoints: ASDM_TrustPoint0
Enable crypto transaction debugging:
ciscoasa# debug crypto ca transactions 10
Retrieve CRL:
ciscoasa(config)#crypto ca crl request ASDM_TrustPoint0
CRYPTO_PKI: CRL is being polled from CDP http://dc1.kp.local/pki/IssuingCA-DC1.crl.
CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 11 Apr 2013 15:33:47 GMT
Accept-Ranges: bytes
ETag: "edeaef5c936ce1:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Mon, 15 Apr 2013 13:50:57 GMT
Connection: close
Content-Length: 716
CRYPTO_PKI: Found a subject match - inserting the following cert record into certList
CRYPTO_PKI: set CRL update timer with delay: 309171
CRYPTO_PKI: the current device time: 13:50:56 UTC Apr 15 2013
CRYPTO_PKI: the last CRL update time: 15:23:47 UTC Apr 11 2013
CRYPTO_PKI: the next CRL update time: 03:43:47 UTC Apr 19 2013
CRYPTO_PKI: CRL cache delay being set to: 3600000
CRYPTO_PKI: transaction HTTPGetCRL completed
Debug output of certificate validation using CRL:
CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="cn=ORCA1-CA" serial number=4d 00 00 00 02 92 4d ec 09 31 40 27 0b 00 00 00
CRYPTO_PKI: Cerificate is resident.
CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.
CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe
CRYPTO_PKI: Verifying certificate with serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe, issuer_name: cn=IssuingCA-DC1,dc=kp,dc=local, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="cn=IssuingCA-DC1,dc=kp,dc=local" serial number=6d 00 00 00 07 5a 2d 9b 4f e8 e3 4d f7 00 00 00 | ...
CRYPTO_PKI: Starting CRL revocation check.
CRYPTO_PKI: Attempting to find cached CRL for CDP http://dc1.kp.local/pki/IssuingCA-DC1.crl
CRYPTO_PKI: Found CRL in cache for CDP: http://dc1.kp.local/pki/IssuingCA-DC1.crl, status 0.
CRYPTO_PKI: Certificate is revoked!
Debug output of certificate validation using OCSP:
CRYPTO_PKI: Sorted chain size is: 2
CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="cn=ORCA1-CA" serial number=4d 00 00 00 02 92 4d ec 09 31 40 27 0b 00 00 00
CRYPTO_PKI: Cerificate is resident.
CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.
CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe
CRYPTO_PKI: Verifying certificate with serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe, issuer_name: cn=IssuingCA-C1,dc=kp,dc=local, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="cn=IssuingCA-DC1,dc=kp,dc=local" serial number=6d00 00 00 07 5a 2d 9b 4f e8 e3 4d f7 00 00 00
CRYPTO_PKI: Verify cert is polling for revocation status.
CRYPTO_PKI: Starting OCSP revocation
CRYPTO_PKI: no responder matching this URL; create one!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: OCSP response status - unauthorized.
CRYPTO_PKI: transaction GetOCSP completed
Comments
Post a Comment