Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2447
Views
0
Helpful
4
Replies

IOS CA Server - Subordinate CA Server problems

mlipsey
Level 1
Level 1

‎07-09-2007 02:49 PM - edited ‎02-21-2020 01:35 AM

I'm doing a proof of concept using Cisco's IOS CA Server to do our DMVPN authentication. When I use a stand alone CA Server this stuff works great but that doesn't have any "redundancy" in it were we to have a failure. So we want to use the subordinate ca server architecture so that we can have 2 servers available. the other option is an RA server.

I have seen both of these options work but in my proof of concept I have never been able to get the Subordinate CA to work correctly and the RA mode I was able to get to work but after a few hours it would mysteriously stop working (I haven't opend a TAC case on the RA problems yet).

Anyway, I've got a TAC case opened and they walked me through this last week. I took extensive notes, their process was not without problems but eventually we got it working in Subordinate CA mode. Okay, it works - I've seen it. I attempted to recreate it afterwords using my notes and the CCO documentation and it doesn't work. My DMVPN hub says the client's cert is "bad."

My debugging isn't very helpful the run down of my configuration is attached as text.

Now, here are my steps:

On the Root CA, I generate a general key, export it out to nvram and then reimport it non-exportable. Then I create the CA configuration which generates the Root CA certificate.

Next I move on to the Subordinate, create its general rsa key, export and reimport it non-exportable.

Then I create the ca server on it in "sub-cs" mode. It gets generates a "Subordinate-CA" certificate request which I then have to go approve on the Root CA server.

Next I move on to the DMVPN Hub router. I generate its rsa general key, export and then re import. Then I create the Root trustpoint and authenticate to it to retrieve the Root Certificate. Then I add the subordinate-ca trustpoint and authenticate to it, then enroll in it. Should be done there - usually goes off without a hitch.

Last is the DMVPN Client router; same process as above to be honest.

Once that is complete - everyone has a certificate and the DMVPN tunnel attempts to authenticate; the DMVPN hub tries to check the crl on the subordinate CA server and it says it fails and that it is a bad certificate.

Preview file
2 KB
Preview file
22 KB
0 Helpful
4 Replies 4

mlipsey
Level 1
Level 1

‎07-09-2007 04:12 PM

Incidentally this is my primary source for documentation of this process:

http://www.cisco.com/en/US/customer/products/ps6441/products_configuration_guide_chapter09186a008051eafa.html#wp1144411

0 Helpful

mlipsey
Level 1
Level 1
In response to mlipsey

‎07-09-2007 04:38 PM

I've just found some notes here:

http://www.cisco.com/en/US/customer/products/ps6660/products_white_paper0900aecd805249e3.shtml

They indicate that I may need to be using 12.4(11)T or better to get the Sub-CA thing working properly.

I'll try that tomorrow...

0 Helpful

mlipsey
Level 1
Level 1
In response to mlipsey

‎07-10-2007 09:54 AM

Well I upgraded to 12.4(16)LD and there is no change in my results. If I remove the revocation-check then it authenticates properly.

Of course that's lame though because without that my revoked certificates will not be denied access.

0 Helpful

amhashem
Cisco Employee
Cisco Employee
In response to mlipsey

‎08-30-2016 11:42 PM

Try to change the trustpoint names on the DMVPN routers to something completely different than what you have used for the Root CA and the SubCA

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card