OCSP and Certificate Mapping for Cisco Routers

When deploying VPNs with certificate-based authentication, managing certificate validity is critical. Cisco routers offer Online Certificate Status Protocol (OCSP) support, allowing real-time revocation checking for digital certificates. This post explores how OCSP functions within Cisco environments and how to address common certificate matching issues using certificate maps.

Understanding OCSP

OCSP provides a method for checking whether a certificate has been revoked without needing to download the entire Certificate Revocation List (CRL). When a certificate includes an OCSP URL, it allows routers to query that OCSP responder directly to validate certificate status. Cisco routers use this embedded URL to ensure that peer certificates are still valid before allowing secure communication.

In the certificate, the OCSP URL is located under the “Authority Information Access” extension. This field includes a reference to the OCSP responder, usually in the format http://OCSP_server/ocsp, as shown in certificate management tools.

Configuring Cisco Routers to Use OCSP

To enable OCSP-based revocation checks on a Cisco router, configure the trustpoint as follows:

crypto pki trustpoint trustpoint-name
revocation-check ocsp

Optionally, you can override the embedded OCSP URL in the certificate with a specific one:

url http://custom_OCSP_URL

For troubleshooting OCSP behavior and revocation checking, use:

debug crypto pki

This helps identify whether OCSP requests are being sent and how the responses are handled.

Resolving Certificate Matching Errors with Certificate Maps

A common issue in IKEv2 certificate-based authentication is the %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH error. This happens when the router expects the certificate identity to match by IP address but instead finds a Fully Qualified Domain Name (FQDN). To address this mismatch, Cisco allows the use of certificate maps to define how the identity should be matched.

Creating a Certificate Map

To configure a certificate map, use the following:

crypto pki certificate map cert-map-name seq-num

Within the map, you can match various attributes such as:

• alt-subject-name

• default

• expires-on

• issuer-name

• name

• serial-number

• subject-name

• unstructured-subject-name

• valid-start

To match against a distinguished name (DN) that contains specific text, such as “ccie.security”, use:

subject-name co ccie.security

This tells the router to match any certificate whose DN contains the substring “ccie.security”.

Integrating Certificate Maps with IKEv2

After configuring your certificate map, apply it within your IKEv2 profile. The default matching behavior typically checks for the peer’s IP address. You’ll need to disable this default and use your certificate map instead:

crypto ikev2 profile default
no match identity remote address 0.0.0.0
match certificate cert-map-name

If you also want your local router to use its own DN as its identity, configure:

identity local dn

This ensures the router presents its certificate DN when initiating VPN negotiations.

This configuration approach enables robust and flexible certificate-based VPN authentication, leveraging OCSP for real-time revocation checking and certificate maps for customized identity matching.