PIX 6.3(5) Certificate renewal

Unanswered Question
Aug 9th, 2007

Hi

I have a PIX 515E 6.3(5) and I have a problem I simply cannot find an answer for!

We use a certificate for a VPN we have with a 3rd party, and the certificate is due for renewal in the next couple of weeks. The guy that did this originally has left the company and I've never done this before. I'm pretty certain he generated the original certificate request on this firewall.

I have this information (names changed, serials altered, etc):

From config:

ca identity mydomain.com 216.x.x.39:/cgi-bin

ca configure mydomain.com ca 1 20 crloptional

myfirewall# sh ca cert

Certificate

Status: Available

Certificate Serial Number: xxx

Key Usage: General Purpose

Subject Name:

UNSTRUCTURED NAME = myfirewall.mydomain.com + CN = myfirewall.mydomain.com

Validity Date:

start date: 00:00:00 UTC Aug 24 2006

end date: 23:59:59 UTC Aug 24 2007

I've looked at using the ca enroll command but I need to keep this VPN up while the certificate is renewed if possible.

Any help greatly appreciated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (4 ratings)
Loading.
Jagdeep Gambhir Mon, 08/13/2007 - 13:20

The following has to be done on the PIX.

ca zeroize rsa

no ca save all (Now we need to reinstall both CA and identity certs)

ca generate rsa key 512

CA fresh insatllation:

1.ca identity name ip_address:/certsrv/mscep/mscep.dll

2.ca configure name ra 1 3 crloptional

3.ca authenticate name

4. ca enroll name ip_address or password

6. ca save all

http://www.cisco.com/warp/customer/707/lan_to_lan_ipsec_pix_rtr_cert.html

Regards,

~JG

Jesterino Tue, 08/14/2007 - 01:58

Thanks for your reply. May I ask a couple more questions?

Will the existing VPN drop during this process?

Normally I use a 1024 bit RSA key, and it is likely this was used before - is that OK?

There's also a 10 year cert which I believe is from the other end of the VPN on this PIX, will that be lost or is it reinstalled from the ca authenticate name command?

myfirewall# sh ca cert

CA Certificate

Status: Available

Certificate Serial Number: xxx

Key Usage: General Purpose

CN = xxxxxxx xxxxxxx

O = xxxxxxx xxxxxxx plc

Validity Date:

start date: 00:00:00 UTC Apr 20 2005

end date: 23:59:59 UTC Apr 19 2015

Thanks again for your help!

rigoberto.cintr... Tue, 08/14/2007 - 05:17

You can use any key you want.

ca generate rsa key 1024

If the other end cert was issue by the same CA you shouldn't any problem because PIX should check the cert against the CA.

Jesterino Tue, 08/14/2007 - 06:15

Thanks.

Can you advise if the VPN will stay up during this renewal process?

Jagdeep Gambhir Tue, 08/14/2007 - 06:37

It will not able to handle new authentication request. I will suggest to do it during off prod hrs.

Please rate helpful posts

Regards

Actions

This Discussion