Configuring Auto-enrollment on a router

Unanswered Question
Feb 15th, 2009


I configured A digital Certificate on a router using a CA server for authentication

Here is the policy configuration:

crypto ca trustpoint branch-Cert

enrollment mode ra

enrollment url

usage ike


crl optional

So what i need to do now, is to configure Auto-enrollment.

I did my research and found that the only missing command is the auto-enroll [percent] [regenerate]

The issue is when the first time i did the "cr ca enroll ..." i had to enter a password that was generated from the CA server and it worked properly, but was done manually.

but when the certificate expires and the automatic enrollment takes place, will a new password be required?

and if yes, how will it be entered automatically?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 02/16/2009 - 07:10

Tipically the password that the CA gives to you is dynamically and has a lifetime I believe around 5 minutes, in this case you would need to enter the password manually once the router is about to re enroll itself to the CA. In the case where the CA generates a password which never changes then I believe you have the option on the trustpoint to define the password you would like to use.

jorjes1984 Mon, 02/16/2009 - 10:35

Hi again

The password generated by the CA server is exactly as u said, its lifetime is for 5 minutes.

So how can i make the router to auto-enroll without any manual intervention.

Can we change the settings in the CA server password generation so it would never change?

Ivan Martinon Mon, 02/16/2009 - 10:40

That I am not sure..I know you can change it to avoid using password but I am not sure if it will keep the same password over and over... at this point I believe your option are either enter the password every time (not automatic) or disable password on the CA (enrollment automatic)

jorjes1984 Tue, 02/17/2009 - 14:10


do u know how to disable password on the CA (enrollment automatic)????


Ivan Martinon Tue, 02/17/2009 - 14:20

You need to access your MS CA certificates console via Administrative Tools > CA, in there you need to right click over your CA certificate and select properties from here I am not quite sure where exactly will you go but there is an option for disabling pass phrase. If this is not like that then you need to re install your CA.


This Discussion