Home » Cisco » 400-051 » Which option is a possible solution for this problem?
Refer to the exhibit.
The public key infrastructure debugs are generated on a Cisco IOS VPN router for a failed certification validation on an incoming connection from an IP phone client. Which option is a possible solution for this problem?
A. Define a matching Certification Revocation List on the Cisco IOS VPN router.
B. Define a Certification Revocation List in the IP phone certificate.
C. Disable revocation check for the trustpoint.
D. Define an enrollment URL for the trustpoint.
E. Define a matching Certification Revocation List on the Cisco Unified Communications Manager.
Correct Answer: C
Explanation/Reference:
Explanation:
When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example, due to security concerns or a change of name or association. CAs periodically issues a signed list of revoked certificates. Enabling revocation checking forces the IOS router to check that the CA has not revoked a certificate every time it uses that certificate for authentication.
When you enable revocation checking during the PKI certificate validation process, the router checks certificate revocation status. It can use either CRL checking or Online Certificate Status Protocol or both, with the second method you set in effect only when the first method returns an error, for example, that the server is unavailable.
With CRL checking, the router retrieves, parses, and caches Certificate Revocation Lists, which provide a complete list of revoked certificates. OCSP offers a more scalable method of checking revocation status in that it localizes certificate status on a Validation Authority, which it queries for the status of a specific certificate.
