DMVPN - Certificates don't auto-renew

Unanswered Question
Dec 10th, 2007
User Badges:


I have a DMVPN with RSA certs (and an internal IOS CA Server on a router) that have been up for many months, however, recently, the spoke certs have started expiring. Since auto-renew is enabled, I granted the "pending" certs on the CA server but the spokes never were able to obatin their new certs even though the VPN tunnels were still up. Eventually, I ran out of time for troubleshooting and all tunnels expired and were torn down due to IKE failures because of expired certs.

Any idea why granting the certs didn't have any effect?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tstanik Mon, 12/17/2007 - 13:21
User Badges:
  • Bronze, 100 points or more

Some certificate authorities require you to generate a new key pair to renew a certificate, while other certificate authorities allow you to use the key pair of the expiring certificate to renew a certificate. Also note that some CA server requires new key being generated when renewing a certificate.

plemieux72 Mon, 12/17/2007 - 13:45
User Badges:

For an IOS CA Server running 12.4(11)T3/ADV SECURITY... what would I need to check to verify this is the case? I followed the SRND and never saw anything related to rekeying.

Also, wouldn't a rekey on a remote client be disruptive? I mean, if it's seamless and the tunnels stay up... I am fine with it. However, otherwise, I'd have to find alternatives.

Thanks very much for your response!


This Discussion