04-29-2024 03:11 AM
We used DNAC GUI to generate CSR and signed the certificate using our internal CA. it looks like successful. however, on DNAC managed switches, I saw this error message, could anyone help me understand this message?
%PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///CN=Internal-CA(3),CN=SCertAuth01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=test,DC=internal?certificateRevocationList?base?objectClass=cRLDistributionPoint using LDAP has failed
Solved! Go to Solution.
04-29-2024 03:52 AM
05-02-2024 10:54 AM
As Andy pointed out, if you include CRL links in your system cert that is uploaded to the Cisco Catalyst Center GUI those get pushed to the device as part of the telemetry push to update the DNAC-CA on the network device. At that point, the network device will attempt to reach out to the CRL to confirm the certificate is still good and not revoked. If the network device cannot resolve or access one/any of the CRL URLs listed, then the network device will generate a syslog stating what you see.
You have to be careful with this as there are IOS-XE defects that cause high system load on the network device if the CRL is not reachable. The screen shot that Andy shared is from the Cisco Catalyst Center GUI: Menu → Design → Network Settings → Security and Trust. Starting in 2.3.5.x you can change the revocation check to None for a particular site or all sites. This will get pushed to the DNAC-CA trustpoint so that even if a CRL is listed, a check is not performed.
04-29-2024 03:33 AM - edited 04-29-2024 03:53 AM
updated
04-29-2024 03:52 AM
i guess there is more relevant source to check:
05-02-2024 10:54 AM
As Andy pointed out, if you include CRL links in your system cert that is uploaded to the Cisco Catalyst Center GUI those get pushed to the device as part of the telemetry push to update the DNAC-CA on the network device. At that point, the network device will attempt to reach out to the CRL to confirm the certificate is still good and not revoked. If the network device cannot resolve or access one/any of the CRL URLs listed, then the network device will generate a syslog stating what you see.
You have to be careful with this as there are IOS-XE defects that cause high system load on the network device if the CRL is not reachable. The screen shot that Andy shared is from the Cisco Catalyst Center GUI: Menu → Design → Network Settings → Security and Trust. Starting in 2.3.5.x you can change the revocation check to None for a particular site or all sites. This will get pushed to the DNAC-CA trustpoint so that even if a CRL is listed, a check is not performed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide