PKI/DMVPN - Renaming an IOS CA Server

Unanswered Question
Dec 10th, 2007
User Badges:


Would anyone know what the impact might be on a DMVPN if I were to rename/recreate the internal IOS CA Server hostname and trustpoint?

I assume I would have to re-create the RSA certs and trustpoint from scratch. And then, I'd have to go to each of the routers (including spokes and headhends) and re-aquire the new root cert, then re-enroll for new router certs which seem like it will bring down the tunnels... and since the CA server is internal, once the tunnels are down, the spokes will not be able to renew unless I configure a temporary pre-shared key crypto tunnel.

Is there a better, simpler way?

If anyone's ever done this in a lab, I'd appreciate any comments...


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Mon, 12/17/2007 - 14:37
User Badges:
  • Silver, 250 points or more

You will have to recreate the RSA certificates and trustpoints if you rename the IOS CA server. You can configure graceful rollover for certificates. Graceful rollover of certificates avoids sudden loss of services in which new connections use the new certificate; existing connections continue to use the old certificate until the connections are closed.


This Discussion