Failed to obtain CRLs

CRLs cannot be obtained.

• The network connection is down, for example, because the network cable is damaged or the connectors have bad contact.

• The PKI domain does not have a CA certificate before you try to obtain CRLs.

• The URL of the CRL repository is not configured and cannot be obtained from the CA certificate or local certificates in the PKI domain.

• The specified URL of the CRL repository is incorrect.

• The device tries to obtain CRLs through SCEP, but it experiences the following problems:

  • The PKI domain does not have local certificates.

  • The key pairs in the certificates have been changed.

  • The PKI domain has incorrect URL for certificate request.

• The CRL repository uses LDAP for CRL distribution. However, the IP address or host name of the LDAP server is neither contained in the CRL repository URL nor configured in the PKI domain.

• The CA does not issue CRLs.

• The CA server does not accept the source IP address specified in the PKI domain, or no source IP address is specified.

1. Fix the network connection problems, if any.

2. Obtain or import the CA certificate.

3. If the URL of the CRL repository cannot be obtained, verify that the following conditions exist:

   • The URL for certificate request is valid.

   • A local certificate has been successfully obtained.

   • The local certificate contains a public key that matches the locally stored key pair.

4. Make sure the LDAP server address is contained in the CRL repository URL, or is configured in the PKI domain.

5. Make sure the CA server support publishing CRLs.

6. Specify a correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.

7. If the problem persists, contact Hewlett Packard Enterprise Support.