crypto ca crl request
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
crypto ca crl request
To configure a new certificate revocation list (CRL) downloaded from the certificate authority (CA), use
the crypto ca crl request command in configuration mode.
Syntax Description
trustpoint-label
source-file
Defaults
None.
Command Modes
Configuration mode.
Command History
Release
3.0(1)
Usage Guidelines
Cisco MDS SAN-OS allows you to pre-download CRLs for the trust points and cache the CRLs in the
cert store using the crypto ca crl request command. During the verification of a peer certificate by
IPsec/IKE or SSH, the issuer CA's CRL will be consulted only if it had already been configured locally,
and revocation checking is configured to use CRL. Otherwise, CRL checking is not done and a certificate
is considered to be not revoked if no other revocation checking methods are configured. This mode of
CRL checking is called CRL optional.
The other modes of revocation checking are called CRL best-effort and CRL mandatory. In these modes,
if the CRL is not found locally, there is an attempt to fetch it automatically from the CA. These modes
are not supported in MDS SAN-OS release 3.0(1).
The CRL file specified should contain the latest CRL in either Privacy Enhanced Mail (PEM) format or
Distinguished Encoding Rules (DER) format.
The trust point configuration (created by the crypto ca trustpoint command) is persistent only if saved
Note
explicitly using the copy running-config startup-config command. The certificates and CRL associated
to a trust point are automatically made persistent if the trust point in question was already saved in the
startup configuration. Conversely, if the trust point was not saved in the startup configuration, the
certificates and CRL associated to it are not made persistent automatically because they do not exist
without the corresponding trust point after the switch reboots.
To ensure the that the configured certificates, CRLs and key pairs are made persistent, always save the
running configuration to the startup configuration.
Cisco MDS 9000 Family Command Reference
4-108
crypto ca crl request trustpoint-label source-file
Modification
This command was introduced.
Specifies the name of the trust point. The maximum size is 64
characters.
Specifies the location of the CRL in the form bootflash:filename. The
maximum size is 512.
Chapter 4
C Commands
OL-8413-07, Cisco MDS SAN-OS Release 3.x