PIX 6.3(5) Certificate renewal

Unanswered Question
Aug 9th, 2007
User Badges:

Hi


I have a PIX 515E 6.3(5) and I have a problem I simply cannot find an answer for!


We use a certificate for a VPN we have with a 3rd party, and the certificate is due for renewal in the next couple of weeks. The guy that did this originally has left the company and I've never done this before. I'm pretty certain he generated the original certificate request on this firewall.


I have this information (names changed, serials altered, etc):


From config:

ca identity mydomain.com 216.x.x.39:/cgi-bin

ca configure mydomain.com ca 1 20 crloptional


myfirewall# sh ca cert

Certificate

Status: Available

Certificate Serial Number: xxx

Key Usage: General Purpose

Subject Name:

UNSTRUCTURED NAME = myfirewall.mydomain.com + CN = myfirewall.mydomain.com

Validity Date:

start date: 00:00:00 UTC Aug 24 2006

end date: 23:59:59 UTC Aug 24 2007


I've looked at using the ca enroll command but I need to keep this VPN up while the certificate is renewed if possible.


Any help greatly appreciated!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (4 ratings)
Loading.
Jagdeep Gambhir Mon, 08/13/2007 - 13:20
User Badges:
  • Red, 2250 points or more

The following has to be done on the PIX.



ca zeroize rsa

no ca save all (Now we need to reinstall both CA and identity certs)

ca generate rsa key 512


CA fresh insatllation:

1.ca identity name ip_address:/certsrv/mscep/mscep.dll

2.ca configure name ra 1 3 crloptional

3.ca authenticate name

4. ca enroll name ip_address or password

6. ca save all



http://www.cisco.com/warp/customer/707/lan_to_lan_ipsec_pix_rtr_cert.html



Regards,

~JG

Jesterino Tue, 08/14/2007 - 01:58
User Badges:

Thanks for your reply. May I ask a couple more questions?


Will the existing VPN drop during this process?


Normally I use a 1024 bit RSA key, and it is likely this was used before - is that OK?


There's also a 10 year cert which I believe is from the other end of the VPN on this PIX, will that be lost or is it reinstalled from the ca authenticate name command?


myfirewall# sh ca cert


CA Certificate

Status: Available

Certificate Serial Number: xxx

Key Usage: General Purpose

CN = xxxxxxx xxxxxxx

O = xxxxxxx xxxxxxx plc

Validity Date:

start date: 00:00:00 UTC Apr 20 2005

end date: 23:59:59 UTC Apr 19 2015


Thanks again for your help!

rigoberto.cintr... Tue, 08/14/2007 - 05:17
User Badges:

You can use any key you want.

ca generate rsa key 1024


If the other end cert was issue by the same CA you shouldn't any problem because PIX should check the cert against the CA.

Jesterino Tue, 08/14/2007 - 06:15
User Badges:

Thanks.


Can you advise if the VPN will stay up during this renewal process?

Jagdeep Gambhir Tue, 08/14/2007 - 06:37
User Badges:
  • Red, 2250 points or more

It will not able to handle new authentication request. I will suggest to do it during off prod hrs.


Please rate helpful posts


Regards

Actions

This Discussion