Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
227
Views
1
Helpful
3
Replies

DNAC Certificate CRL LDAP Failed

Go to solution
Turbo727
Level 1
Level 1

‎04-29-2024 03:11 AM

We used DNAC GUI to generate CSR and signed the certificate using our internal CA. it looks like successful. however, on DNAC managed switches, I saw this error message, could anyone help me understand this message?

 

%PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///CN=Internal-CA(3),CN=SCertAuth01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=test,DC=internal?certificateRevocationList?base?objectClass=cRLDistributionPoint using LDAP has failed

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight

‎04-29-2024 03:52 AM

i guess there is more relevant source to check:

andydoesntlikeuucp_0-1714387945256.png

 

View solution in original post

0 Helpful

Go to solution
maflesch
Cisco Employee
Cisco Employee

‎05-02-2024 10:54 AM

As Andy pointed out, if you include CRL links in your system cert that is uploaded to the Cisco Catalyst Center GUI those get pushed to the device as part of the telemetry push to update the DNAC-CA on the network device. At that point, the network device will attempt to reach out to the CRL to confirm the certificate is still good and not revoked. If the network device cannot resolve or access one/any of the CRL URLs listed, then the network device will generate a syslog stating what you see.

You have to be careful with this as there are IOS-XE defects that cause high system load on the network device if the CRL is not reachable. The screen shot that Andy shared is from the Cisco Catalyst Center GUI: Menu → Design → Network Settings → Security and Trust. Starting in 2.3.5.x you can change the revocation check to None for a particular site or all sites. This will get pushed to the DNAC-CA trustpoint so that even if a CRL is listed, a check is not performed.

View solution in original post

3 Replies 3

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight

‎04-29-2024 03:33 AM - edited ‎04-29-2024 03:53 AM

updated

0 Helpful

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight

‎04-29-2024 03:52 AM

i guess there is more relevant source to check:

andydoesntlikeuucp_0-1714387945256.png

 

0 Helpful

Go to solution
maflesch
Cisco Employee
Cisco Employee

‎05-02-2024 10:54 AM

As Andy pointed out, if you include CRL links in your system cert that is uploaded to the Cisco Catalyst Center GUI those get pushed to the device as part of the telemetry push to update the DNAC-CA on the network device. At that point, the network device will attempt to reach out to the CRL to confirm the certificate is still good and not revoked. If the network device cannot resolve or access one/any of the CRL URLs listed, then the network device will generate a syslog stating what you see.

You have to be careful with this as there are IOS-XE defects that cause high system load on the network device if the CRL is not reachable. The screen shot that Andy shared is from the Cisco Catalyst Center GUI: Menu → Design → Network Settings → Security and Trust. Starting in 2.3.5.x you can change the revocation check to None for a particular site or all sites. This will get pushed to the DNAC-CA trustpoint so that even if a CRL is listed, a check is not performed.

Customers Also Viewed These Support Documents