Question 220 of 490 from exam 400-051: CCIE Collaboration

Prev Question Next Question

Question

Refer to the exhibit.

Jan 29 17:
Jan 29 17:
Jan 29 17:
query CRL.
Jan 29 17:
Jan 29 17:
Jan 29 17:
Jan 29 17:
Jan 29 17:

5 45
45
sa

5 P45
45
45
45
B44

01.
01.
01.

01.
01.
01.
01.
01.

tos:
tose
Es Hd

tos:
tose
tose
tose
2S:

CRYPTO_PKI:
CRYPTO_PKI:
CRYPTO_PKI:

CRYPTO_PKI:
PKI:
CRYPTO_PKI:
PKI:

CRYPTO.

CRYPTO.

CRYPTO_PKI:

(A0076) Starting CRL revocation check
Matching CRL not found
(A0076) CDP does not exist. Use SCEP to

pki request queued properly
Revocation check is complete, 0

Revocation status = 3

status = 0: poll CRL

Remove session revocation service providers

CRYPTO_PKI: Bypassing SCEP capabilies request 0

Jan 29 17:32:01.723: CRYPTO_PKI:
Jan 29 17:32:01.723: CRYPTO_PKI:
Jan 29 17:32:01.723: CRYPTO_PKI:
Jan_29 17:32:01.723: CRYPTO_PKI:

callback received status

Jan 29 17:32:01.723: CRYPTO_PKI:

status = 0: failed to create GetCRL
enrollment url not configured

transaction GetCRL completed

status = 106: Blocking chain verification

(a0076) Certificate validation failed

The public key infrastructure debugs are generated on a Cisco IOS VPN router for a failed certification validation on an incoming connection from an IP phone client.

Which option is a possible solution for this problem?

Answers

A. Define a matching Certification Revocation List on the Cisco IOS VPN router.

B. Define a Certification Revocation List in the IP phone certificate.

C. Disable revocation check for the trustpoint.

D. Define an enrollment URL for the trustpoint.

E. Define a matching Certification Revocation List on the Cisco Unified Communications Manager.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

When a certificate is issued, it is valid for a fixed period of time.

Sometimes a CA revokes a certificate before this time period expires; for example, due to security concerns or a change of name or association.

CAs periodically issues a signed list of revoked certificates.

Enabling revocation checking forces the IOS router to check that the CA has not revoked a certificate every time it uses that certificate for authentication.

When you enable revocation checking during the PKI certificate validation process, the router checks certificate revocation status.

It can use either CRL checking or Online Certificate Status Protocol or both, with the second method you set in effect only when the first method returns an error, for example, that the server is unavailable.

With CRL checking, the router retrieves, parses, and caches Certificate Revocation Lists, which provide a complete list of revoked certificates.

OCSP offers a more scalable method of checking revocation status in that it localizes certificate status on a Validation Authority, which it queries for the status of a specific certificate.

Prev Question Next Question