Configure CA Support on a Cisco Router
Step 1 – manage the non-volatile RAM (NVRAM)

Certificates and certificate revocation lists (CRLs) are used by the router when a CA is used. Normally certain certificates and all CRLs are stored locally in the NVRAM of the router, and each certificate and CRL uses a moderate amount of memory.

The following certificates are normally stored at the router :

  • The certificate of the router
  • The certificate of the CA
  • Root certificates obtained from CA servers. All root certificates are saved in RAM after the router has been initialized.
  • Two RA certificates, if the CA supports an RA

In some cases, storing certificates and CRLs locally will not present a problem. However, in other cases, memory might become an issue if a large number of certificates and CRLs end up being stored on the router. These certificates and CRLs can consume a large amount of NVRAM space.

To save NVRAM space, the router can be configured so that certificates and CRLs should not be stored locally, but should be retrieved from the CA when needed. This will save NVRAM space but could have a slight performance impact.

To specify that certificates and CRLs should not be stored locally on the router, but should be retrieved when required, turn on query mode by using the crypto ca certificate query command in global configuration mode.

NOTE:

Query mode may affect availability if the CA is down.

If query mode is not turned on initially, it can be turned on later even if certificates and CRLs have already been stored on the router. In this case, when query mode is turned on, the stored certificates and CRLs will be deleted from the router after the configuration is saved. If the configuration is copied to a TFTP site prior to turning on query mode, stored certificates and CRLs will be saved at the TFTP site.

If query mode is turned on initially, it can turned off later. If query mode is turned off later, the copy system:running-config nvram:startup-config command can be issued beforehand to save all current certificates and CRLs to NVRAM. Otherwise they could be lost during a reboot and would need to be retrieved the next time they were needed by the router.