Hi Shane. Yes, you have to open up the filters to allow clients to contact your CA to get the CRL.
But this is not a Cisco requirement. This is a Microsoft Internet Explorer requirement. CCAA uses IE to perform the http part of the session. So if your IE is configured to check for a CRL, then CCAA will need it. You can disable it in IE advanced options, and IE won't require it anymore. But the better answer is to just allow access to it. Mike
