Which statement about CRL configuration is correct?

5 thoughts on “Which statement about CRL configuration is correct?”

1. LDAP

   Reply

2. By default OSCP and CRL disabled :

   sh run all crypto ca trust
   crypto ca trustpoint ASDM-Mgmt
   revocation-check none

   From link below
   The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint.

   So I guess the question about way to get CRL from CA. So in this case answer C is correct.

   Reply

3. I agree with A.

   Reply

4. Hi,

   from Cisco Book
   Revocation Check
   On the Revocation Check tab, you have the option to turn off certificate revocation
   checking or leave it at the default of on. However, by default, no revocation-checking
   methods are chosen, and the check box to consider a certificate valid if the CRL cannot
   be retrieved is selected, meaning that all certificates, by default, are considered valid by
   the CA.

   From me answer is more A
   It make more sense for me because they can rely on https or ldap but its not true that they rely by default.

   What do you think?

   Reply

5. https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/cert_cfg.html

   CRLs
   CRLs provide the ASA with one way of determining whether a certificate that is within its valid time range has been revoked by the issuing CA. CRL configuration is part of configuration of a trustpoint.

   You can configure the ASA to make CRL checks mandatory when authenticating a certificate by using the revocation-check crl command. You can also make the CRL check optional by using the revocation-check crl none command, which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data.

   The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint.

   Reply