Certificates and certificate revocation lists (CRLs) are used by your
device when a CA is used. Normally certain certificates and all CRLs are stored
locally in the NVRAM of the device, and each certificate and CRL uses a
moderate amount of memory.
The following certificates are normally stored at your device:
CRLs are normally stored at your device according to the following
- Certificate of your device
- Certificate of the CA
- Root certificates obtained
from CA servers (all root certificates are saved in RAM after the device has
- Two registration authority
(RA) certificates (only if the CA supports an RA)
- If your CA does not
support an RA, only one CRL gets stored in the device.
- If your CA supports an RA,
multiple CRLs can be stored in the device.
In some cases, storing these certificates and CRLs locally will not
present any difficulty. In other cases, memory might become a
problem—particularly if the CA supports an RA and a large number of CRLs have
to be stored on the device. If the NVRAM is too small to store root
certificates, only the fingerprint of the root certificate is saved.
To save NVRAM space, specify that certificates and CRLs should not be
stored locally, but should be retrieved from the CA when needed. This
alternative will save NVRAM space but could result in a slight performance
impact. To specify that certificates and CRLs should not be stored locally on
your device, but should be retrieved when required, enable query mode.
If you do not enable query mode now, you can do it later even if
certificates and CRLs have are already stored on the device. In this case, when
you enable query mode, the stored certificates and CRLs are deleted from the
device after you save the configuration. (If you copy the configuration to a
TFTP site prior to enabling query mode, you can save any stored certificates
and CRLs at the TFTP site.)
Before disabling query mode, perform the
copy system:running-config nvram:startup-config
command to save all current certificates and CRLs to
NVRAM. Otherwise they could be lost during a reboot.
To specify that certificates and CRLs should not be stored locally on
your device, but should be retrieved when required, enable query mode by using
the following command in global configuration mode:
Query mode may affect availability if the CA is down.