Security

 View Only
  • 1.  ClearPass CRL error: Different CRL Scope

    Posted Feb 03, 2020 07:07 AM

    Hi Community,

     

    a customer is faceing an issue with CRLs in ClearPass. He has an offline Root-CA and an online Sub-CA on microsoft server. Certificate based LAN auth is working fine until you load the crls into clearpass. There is an error in the logs:

     

    verify error:num=44:Different CRL scope

     

    I found some sources stating that the DP entry in the Cert and the IDP entry in the crl must match. I verified that both URLs are the same.

     

    Any clue how to fix this?



  • 2.  RE: ClearPass CRL error: Different CRL Scope

    Posted Sep 25, 2023 09:56 AM

    Hi. I got a similar problem. Did you find out what the problem was and solved the problem?




  • 3.  RE: ClearPass CRL error: Different CRL Scope

    Posted Oct 16, 2023 11:45 PM
    Edited by ccalhoun Oct 16, 2023 11:45 PM

    Any solutions here also have the same problem that just started after the Enterprise CA setup was migrated to MS Server 2019. 




  • 4.  RE: ClearPass CRL error: Different CRL Scope

    Posted Oct 02, 2024 11:18 AM

    I'm not sure if this is the best fix, but there is a work around at least. 

    You need to disable the checking of validity of all certs in the chain against CRL.

    Browse to Administration > Server Manager > Server Configuration > Click on the server

    Browse to Service parameters  > Radius Server.

    Set Check the validity of all certificates in the chain against CRLs to False

    After this it allows connections. Not sure what the security impact of this would be.