Configure CA Support on a Cisco Router
Step 9 – monitor and maintain CA interoperability

The tasks are shown in Figure are optional, depending on the particular requirements of the VPN implementation.

Request a Certificate Revocation List
A CRL can be requested only if the CA does not support an RA. The following information applies only when the CA does not support an RA.

When the router receives a certificate from a peer, the router will download a CRL from the CA. The router then checks the CRL to make sure the certificate that the peer sent has not been revoked. If the certificate appears on the CRL, the router will not accept the certificate and will not authenticate the peer.

With CA systems that support RAs, multiple CRLs exist and the certificate of the peer indicates which CRL applies and should be downloaded by the router. If the router does not have the applicable CRL and is unable to obtain one, the router rejects the certificate of the peer, unless the crl optional command is used in the configuration. If the crl optional command is used, the router will still try to obtain a CRL, but if it cannot obtain a CRL it can still accept the certificate of the peer.

A CRL can be reused with subsequent certificates until the CRL expires if query mode is off. If the router receives a certificate from a peer after the applicable CRL has expired, the router will download the new CRL.

When the router receives additional certificates from peers, the router continues to attempt to download the appropriate CRL, even if it was previously unsuccessful, and even if the crl optional command is enabled. The crl optional command only specifies that when the router cannot obtain the CRL, the router is not forced to reject a certificate of a peer outright.

If the router has a CRL that has not yet expired, but it is suspected that the contents of the CRL are out of date, it is possible to request that the latest CRL be downloaded immediately to replace the old CRL. To request immediate download of the latest CRL, use the crypto pki crl request name command in global configuration mode. This command replaces the CRL currently stored on the router with the newest version of the CRL.

Delete RSA Keys from the Router
Under certain circumstances it may be necessary to delete the RSA keys that were generated for the router. For example, if the RSA keys are believed to be compromised in some way and should no longer be used, the keys should be deleted.

To delete all RSA keys from the router, use the crypto key zeroize rsa command in global configuration mode. After the RSA keys are deleted, the CA administrator should be asked to revoke certificates for the router at the CA. It will be necessary to supply the challenge password created when the certificated were obtained with the crypto pki enroll command. The certificates should also be manually removed from the router configuration.

Delete Certificates from the Configuration

If the need arises, certificates that are saved on the router can be deleted. The router saves its own certificates, the certificate of the CA, and any RA certificates, unless the router is in query mode.

To delete the certificate of the router or RA certificates from the configuration, use the commands shown in Figure in global configuration mode.

Delete Public Keys of Peers
Under certain circumstances it may be necessary to delete the RSA public keys of peer devices from the router configuration. For example, if the integrity of a peer public key is doubted, the key should be deleted. To delete an RSA public key of a peer, use the commands shown in Figure , beginning in global configuration mode.

To delete the CA certificate, the entire CA trustpoint must be removed. This also removes all certificates associated with the CA, including the certificate belonging to the router, the CA certificate, and any RA certificates. To remove a CA trustpoint, use the no crypto pki trustpoint name command in global configuration mode.