Skip to main content

Cisco ASA Certificate Revocation Checking


ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP.

Revocation checking using CRL:

Over HTTP:

ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check crl
ciscoasa(config-ca-crl)# protocol http

By default ASA will use address listed in CDP extension of the certificate that is being validated. To override default behaviour we need to add the following in the CRL configuration context.

ciscoasa(config-ca-crl)# policy static
ciscoasa(config-ca-crl)# url 1 http://cdpurl.kp.local/crl.crl


Over LDAP:

Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static"  to specify LDAP URL where CRL can be retrieved. 

ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check crl
ciscoasa(config-ca-trustpoint)# crl configure
ciscoasa(config-ca-crl)# protocol ldap
ciscoasa(config-ca-crl)# policy static

ciscoasa(config-ca-crl)# url 1 ldap://dc1.kp.local/CN=IssuingCA-DC1,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=kp,DC=local/

ciscoasa(config-ca-crl)# ldap-dn CN=asacrl,OU=UsersRoot,DC=kp,DC=local password

ciscoasa(config-ca-crl)# ldap-defaults 10.0.0.7


Revocation checking using OCSP:

ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2
ciscoasa(config-ca-trustpoint)# revocation-check ocsp
ciscoasa(config-ca-trustpoint)# ocsp url http://srv3.kp.local/ocsp


View CRL cache:


ciscoasa# show crypto ca crl

CRL Issuer Name:
    cn=IssuingCA-DC1,dc=kp,dc=local
    LastUpdate: 15:23:47 UTC Apr 11 2013
    NextUpdate: 03:43:47 UTC Apr 19 2013
    Cached Until: 14:54:45 UTC Apr 15 2013
    Retrieved from CRL Distribution Point:
      http://dc1.kp.local/pki/IssuingCA-DC1.crl
    Size (bytes): 716
    Associated Trustpoints: ASDM_TrustPoint0


Enable crypto transaction debugging:

ciscoasa# debug crypto ca transactions 10


Retrieve CRL: 


ciscoasa(config)#crypto ca crl request ASDM_TrustPoint0

CRYPTO_PKI: CRL is being polled from CDP http://dc1.kp.local/pki/IssuingCA-DC1.crl.

CRYPTO_PKI: HTTP response header:
 HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 11 Apr 2013 15:33:47 GMT
Accept-Ranges: bytes
ETag: "edeaef5c936ce1:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Mon, 15 Apr 2013 13:50:57 GMT
Connection: close
Content-Length: 716

CRYPTO_PKI: Found a subject match - inserting the following cert record into certList
CRYPTO_PKI: set CRL update timer with delay: 309171
CRYPTO_PKI: the current device time: 13:50:56 UTC Apr 15 2013

CRYPTO_PKI: the last CRL update time: 15:23:47 UTC Apr 11 2013
CRYPTO_PKI: the next CRL update time: 03:43:47 UTC Apr 19 2013
CRYPTO_PKI: CRL cache delay being set to: 3600000
CRYPTO_PKI: transaction HTTPGetCRL completed


Debug output of certificate validation using CRL:

CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="cn=ORCA1-CA" serial number=4d 00 00 00 02 92 4d ec 09 31 40 27 0b 00 00 00    
CRYPTO_PKI: Cerificate is resident.
CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.
CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe
CRYPTO_PKI: Verifying certificate with serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe, issuer_name: cn=IssuingCA-DC1,dc=kp,dc=local, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="cn=IssuingCA-DC1,dc=kp,dc=local" serial number=6d 00 00 00 07 5a 2d 9b 4f e8 e3 4d f7 00 00 00                                   |  ...

CRYPTO_PKI: Starting CRL revocation check.
CRYPTO_PKI: Attempting to find cached CRL for CDP http://dc1.kp.local/pki/IssuingCA-DC1.crl
CRYPTO_PKI: Found CRL in cache for CDP: http://dc1.kp.local/pki/IssuingCA-DC1.crl, status 0.
CRYPTO_PKI: Certificate is revoked!


Debug output of certificate validation using OCSP:


CRYPTO_PKI: Sorted chain size is: 2
CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="cn=ORCA1-CA" serial number=4d 00 00 00 02 92 4d ec 09 31 40 27 0b 00 00 00   
CRYPTO_PKI: Cerificate is resident.

CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.

CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe
CRYPTO_PKI: Verifying certificate with serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe, issuer_name: cn=IssuingCA-C1,dc=kp,dc=local, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="cn=IssuingCA-DC1,dc=kp,dc=local" serial number=6d00 00 00 07 5a 2d 9b 4f e8 e3 4d f7 00 00 00
CRYPTO_PKI: Verify cert is polling for revocation status.

CRYPTO_PKI: Starting OCSP revocation
CRYPTO_PKI: no responder matching this URL; create one!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: OCSP response status - unauthorized.
CRYPTO_PKI: transaction GetOCSP completed

Comments

Popular posts from this blog

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

DNS response and error types

In this post we explore common DNS response codes. We will cover the following responses: NOERROR SERVFAIL NXDOMAIN NODATA REFUSED Throughout article we’ll refer to the following RFCs: RFC 1034 - DOMAIN NAMES - CONCEPTS AND FACILITIES RFC 2308 - Negative Caching of DNS Queries (DNS NCACHE) RFC 2136 - Dynamic Updates in the Domain Name System (DNS UPDATE) RFC 8914 - Extended DNS Errors Response Codes - RCODEs The DNS RCODES are best defined in RFC2316 .  They signify what type of response was sent by the server. “RCODE   Response code - this four bit field is undefined in requests and set in responses.”   The table below shows the summary of the currently defined RCODEs. Mnemonic Val Description NOERROR 0 No error condition.

DNS blocking in Indonesia

DNS based censorship and domain blocking in Indonesia is very inconsistent among ISPs. There’s a government mandated black list which the ISPs operating in the country should enforce. However, Indonesia lacks centralised internet infrastructure and has many separate ISPs. In addition, the Indonesian government granted ISPs the authority to block content at their own discretion. All of this leads to a very inconsistent DNS blocking in Indonesia. Official DNS domain blacklist in Indonesia The Government mandated DNS blacklist is published in a redacted form and can be downloaded here: https://trustpositif.kominfo.go.id/ . This is where the blocked domains get redirected to. We can search the database and check if a domain is blocked. In the screenshot below we can see that a popular cryptocurrency exchange is blocked (Ada) and that wikipedia.org is not (Tidak Ada) - thanks to Google Translate. Examples of blocked DNS queries dig binance.com @182.253.45.122 ;; global options: +cmd ;; Got