08-09-2007 01:27 AM - edited 03-11-2019 03:55 AM
Hi
I have a PIX 515E 6.3(5) and I have a problem I simply cannot find an answer for!
We use a certificate for a VPN we have with a 3rd party, and the certificate is due for renewal in the next couple of weeks. The guy that did this originally has left the company and I've never done this before. I'm pretty certain he generated the original certificate request on this firewall.
I have this information (names changed, serials altered, etc):
From config:
ca identity mydomain.com 216.x.x.39:/cgi-bin
ca configure mydomain.com ca 1 20 crloptional
myfirewall# sh ca cert
Certificate
Status: Available
Certificate Serial Number: xxx
Key Usage: General Purpose
Subject Name:
UNSTRUCTURED NAME = myfirewall.mydomain.com + CN = myfirewall.mydomain.com
Validity Date:
start date: 00:00:00 UTC Aug 24 2006
end date: 23:59:59 UTC Aug 24 2007
I've looked at using the ca enroll command but I need to keep this VPN up while the certificate is renewed if possible.
Any help greatly appreciated!
08-13-2007 01:20 PM
The following has to be done on the PIX.
ca zeroize rsa
no ca save all (Now we need to reinstall both CA and identity certs)
ca generate rsa key 512
CA fresh insatllation:
1.ca identity name ip_address:/certsrv/mscep/mscep.dll
2.ca configure name ra 1 3 crloptional
3.ca authenticate name
4. ca enroll name ip_address or password
6. ca save all
http://www.cisco.com/warp/customer/707/lan_to_lan_ipsec_pix_rtr_cert.html
Regards,
~JG
08-14-2007 01:58 AM
Thanks for your reply. May I ask a couple more questions?
Will the existing VPN drop during this process?
Normally I use a 1024 bit RSA key, and it is likely this was used before - is that OK?
There's also a 10 year cert which I believe is from the other end of the VPN on this PIX, will that be lost or is it reinstalled from the ca authenticate name command?
myfirewall# sh ca cert
CA Certificate
Status: Available
Certificate Serial Number: xxx
Key Usage: General Purpose
CN = xxxxxxx xxxxxxx
O = xxxxxxx xxxxxxx plc
Validity Date:
start date: 00:00:00 UTC Apr 20 2005
end date: 23:59:59 UTC Apr 19 2015
Thanks again for your help!
08-14-2007 05:17 AM
You can use any key you want.
ca generate rsa key 1024
If the other end cert was issue by the same CA you shouldn't any problem because PIX should check the cert against the CA.
08-14-2007 06:15 AM
Thanks.
Can you advise if the VPN will stay up during this renewal process?
08-14-2007 06:35 AM
I don't think so, since there won't be a cert for the authentication.
08-14-2007 06:37 AM
It will not able to handle new authentication request. I will suggest to do it during off prod hrs.
Please rate helpful posts
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: