cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
943
Views
14
Helpful
6
Replies

PIX 6.3(5) Certificate renewal

Jesterino
Level 1
Level 1

Hi

I have a PIX 515E 6.3(5) and I have a problem I simply cannot find an answer for!

We use a certificate for a VPN we have with a 3rd party, and the certificate is due for renewal in the next couple of weeks. The guy that did this originally has left the company and I've never done this before. I'm pretty certain he generated the original certificate request on this firewall.

I have this information (names changed, serials altered, etc):

From config:

ca identity mydomain.com 216.x.x.39:/cgi-bin

ca configure mydomain.com ca 1 20 crloptional

myfirewall# sh ca cert

Certificate

Status: Available

Certificate Serial Number: xxx

Key Usage: General Purpose

Subject Name:

UNSTRUCTURED NAME = myfirewall.mydomain.com + CN = myfirewall.mydomain.com

Validity Date:

start date: 00:00:00 UTC Aug 24 2006

end date: 23:59:59 UTC Aug 24 2007

I've looked at using the ca enroll command but I need to keep this VPN up while the certificate is renewed if possible.

Any help greatly appreciated!

6 Replies 6

Jagdeep Gambhir
Level 10
Level 10

The following has to be done on the PIX.

ca zeroize rsa

no ca save all (Now we need to reinstall both CA and identity certs)

ca generate rsa key 512

CA fresh insatllation:

1.ca identity name ip_address:/certsrv/mscep/mscep.dll

2.ca configure name ra 1 3 crloptional

3.ca authenticate name

4. ca enroll name ip_address or password

6. ca save all

http://www.cisco.com/warp/customer/707/lan_to_lan_ipsec_pix_rtr_cert.html

Regards,

~JG

Thanks for your reply. May I ask a couple more questions?

Will the existing VPN drop during this process?

Normally I use a 1024 bit RSA key, and it is likely this was used before - is that OK?

There's also a 10 year cert which I believe is from the other end of the VPN on this PIX, will that be lost or is it reinstalled from the ca authenticate name command?

myfirewall# sh ca cert

CA Certificate

Status: Available

Certificate Serial Number: xxx

Key Usage: General Purpose

CN = xxxxxxx xxxxxxx

O = xxxxxxx xxxxxxx plc

Validity Date:

start date: 00:00:00 UTC Apr 20 2005

end date: 23:59:59 UTC Apr 19 2015

Thanks again for your help!

You can use any key you want.

ca generate rsa key 1024

If the other end cert was issue by the same CA you shouldn't any problem because PIX should check the cert against the CA.

Thanks.

Can you advise if the VPN will stay up during this renewal process?

I don't think so, since there won't be a cert for the authentication.

It will not able to handle new authentication request. I will suggest to do it during off prod hrs.

Please rate helpful posts

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: