Certificates and certificate revocation lists (CRLs) are used by
the router when a CA is used. Normally certain certificates and all CRLs are
stored locally in the NVRAM of the router, and each certificate and CRL uses a
moderate amount of memory.
The following certificates are normally stored
at the router
:
- The certificate of the router
- The certificate of the CA
- Root certificates obtained from CA servers. All root certificates are saved
in RAM after the router has been initialized.
- Two RA certificates, if the CA supports an RA
In some cases, storing certificates and CRLs locally will not present a
problem. However, in other cases, memory might become an issue if a large
number of certificates and CRLs end up being stored on the router. These
certificates and CRLs can consume a large amount of NVRAM space.
To save
NVRAM space, the router can be configured so that certificates and CRLs should
not be stored locally, but should be retrieved from the CA when needed. This
will save NVRAM space but could have a slight performance impact.
To
specify that certificates and CRLs should not be stored locally on the router,
but should be retrieved when required, turn on query mode by using the
crypto ca certificate query command in global configuration
mode.
 |
NOTE:
Query mode may affect availability if the CA is down.
|
If query mode is not turned on initially, it can be turned on later
even if certificates and CRLs have already been stored on the router. In this
case, when query mode is turned on, the stored certificates and CRLs will be
deleted from the router after the configuration is saved. If the configuration
is copied to a TFTP site prior to turning on query mode, stored certificates
and CRLs will be saved at the TFTP site.
If query mode is turned on
initially, it can turned off later. If query mode is turned off later, the
copy system:running-config nvram:startup-config command can
be issued beforehand to save all current certificates and CRLs to NVRAM.
Otherwise they could be lost during a reboot and would need to be retrieved the
next time they were needed by the router.