I'm doing a proof of concept using Cisco's IOS CA Server to do our DMVPN authentication. When I use a stand alone CA Server this stuff works great but that doesn't have any "redundancy" in it were we to have a failure. So we want to use the subordinate ca server architecture so that we can have 2 servers available. the other option is an RA server.
I have seen both of these options work but in my proof of concept I have never been able to get the Subordinate CA to work correctly and the RA mode I was able to get to work but after a few hours it would mysteriously stop working (I haven't opend a TAC case on the RA problems yet).
Anyway, I've got a TAC case opened and they walked me through this last week. I took extensive notes, their process was not without problems but eventually we got it working in Subordinate CA mode. Okay, it works - I've seen it. I attempted to recreate it afterwords using my notes and the CCO documentation and it doesn't work. My DMVPN hub says the client's cert is "bad."
My debugging isn't very helpful the run down of my configuration is attached as text.
Now, here are my steps:
On the Root CA, I generate a general key, export it out to nvram and then reimport it non-exportable. Then I create the CA configuration which generates the Root CA certificate.
Next I move on to the Subordinate, create its general rsa key, export and reimport it non-exportable.
Then I create the ca server on it in "sub-cs" mode. It gets generates a "Subordinate-CA" certificate request which I then have to go approve on the Root CA server.
Next I move on to the DMVPN Hub router. I generate its rsa general key, export and then re import. Then I create the Root trustpoint and authenticate to it to retrieve the Root Certificate. Then I add the subordinate-ca trustpoint and authenticate to it, then enroll in it. Should be done there - usually goes off without a hitch.
Last is the DMVPN Client router; same process as above to be honest.
Once that is complete - everyone has a certificate and the DMVPN tunnel attempts to authenticate; the DMVPN hub tries to check the crl on the subordinate CA server and it says it fails and that it is a bad certificate.