Embedded Files
Firepower CRL
This document describes a CRL download between a Windows 2019 Server and a Firepower 7.0 in 3 Steps. For me the Cisco Documentation was difficult to understand, therefore is created my own how-to.
Step 1 - Windows CA
Windows Server Configuration
First you need to setup the Active Directory and then the Certificate Authority.
The Certificate Authority Web Enrollment Service must be installed for CRL download.
After the installation the CA must be configured.
You can reach the CA Server with http://localhost/certsrv/.
For the machine certificates you need to create a certificate template.
Click on Certificate Templates -> Manage.
Then click on the subject name and check DNS name and UPN.
In the security tab give access to Domain Computers for enrollment.
Then save as new template.
The template must be also enabled on the group policy.
You can use the default group policy or build a new one. In the default policy the changes will be applied to everyone.
In the computer configuration -> Windows Settings -> Security Settings -> public key policies open the Certificate Service Client - Auto-Enrollment.
Switch to enabled.
In periodic time frames the policy will be applied to the Windows Client. You can enforce this task with the command “gpupdate.exe /force”.
Step 2 - IIS Website to download the CRL
The Firepower must be able to download the CRL over a web link. Therefore you need to create a download site on the Windows Server.
There is a good document from Cisco about configuration of the Windows Server to publish the CRL.
Here my setup:
In the Server Administration Window choose IIS Manager.
1: Create a new Directory with crldistribution on the C-Drive in Root.
2: Right Mouse Click, Properties -> sharing -> Advanced Sharing Button
3: Enable share this folder.
4: Enable the permission to this Directory in 4 steps
4: Add the Windows Server to the List.
5: Create an IIS Site to Download the CRL.
Start the IIS Configuration Page and add a virtual Directory to the "Default Web Site"
Choose an alias and use the created directory in the physical path.
6: Choose Directory Browsing and afterwards click enable.
7: Choose the configuration Editor and set the allowDoubleEscaping to true.
8: Configure Microsoft CA Server to Publish CRL Files
Properties -> Extensions -> and then add the share which was created before.
Also insert the CaName and the CRLNameSuffix
When you are asked to restart the active directory click "yes"
On the revoked Certificates click "publish" and check if the file was created in the crldistribution directory.
Step 3 - Configure Firepower
Configure Firepower
First of all you need to create a new certificate enrollment for the Firepower.
Goto Objects -> PKI -> Cert Enrollment and click add
Enrollment Type is manual, copy the public key of the CA in the CA Certificate field.
Allow Revocation and copy the CRL download link.
This will create the following Firepower configuration:
crypto ca trustpoint fp-any
revocation-check crl none
enrollment terminal
fqdn fp.labs.local
subject-name OU=lab,O=it,CN=fp.lab.local,ST=germany,C=de
ip-address 172.16.1.62
keypair <Default-RSA-Key>
match certificate FMCAutoGeneratedMatchAllCertMap override cdp 1 url http://172.16.1.55/CRLD/lab-WIN-GTONO4VKP5R-CA.crl
crl configure
policy both
crypto ca trustpool policy
revocation-check crl
fp# sh cryp ca crls
CRL Issuer Name:
cn=lab-WIN-GTONO4VKP5R-CA,dc=lab,dc=local
LastUpdate: 08:50:08 UTC Jan 20 2022
NextUpdate: 10:25:08 UTC Jan 20 2022
Cached Until: 10:14:23 UTC Jan 20 2022
Retrieved from CRL Distribution Point:
http://172.16.1.55/CRLD/lab-WIN-GTONO4VKP5R-CA.crl
Size (bytes): 817
Last used at: 09:14:23 UTC Jan 20 2022
Associated Trustpoints: fp-any
fp#
fp# sh cryp ca trustpoo po
0 trustpool certificates installed
Trustpool auto import statistics:
Last import result: N/A
Trustpool Policy
Trustpool policy revocation order: crl
CRL cache time: 60 seconds
CRL next update field: required and enforced
Auto import of trustpool certificates is disabled
Policy Overrides:
None configured
fp#
The CRL will be cached for 90 Minutes. After the 90 Minutes it will be downloaded again if someone is dialin.
Report abuse