WAAS - Certificate '__waas-self__.p12' is expired.

Unanswered Question
Mar 23rd, 2010
User Badges:

I'm getting this error on a new installed WAE-674 at one of my remote offices. This looks like the local machine self assigned certificate had expired.

Certificate '__waas-self__.p12' is expired. It is configured as machine cert in global settings

        Version: 3 (0x2)
        Serial Number: 25 (0x19)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=San Jose, OU=ADBU, O=Cisco Systems, [email protected]
            Not Before: Sep 12 10:18:36 2001 GMT
            Not After : Sep 11 10:18:36 2006 GMT

Is there away to have the CM manage all the WAEs certificate? Otherwise in a few years I would have to go to every single WAE to reassign a local certificate. What is the best way to manage it and how do I create a local self assign certificate ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Zach Seils Wed, 04/14/2010 - 08:01
User Badges:
  • Cisco Employee,

You are seeing this alarm because the factory self-signed certificate has expired.  It is currently not possible to replace the factory self-signed certificate.  However, you can generate a new self-signed certificate and associate it with the SSL AO global-settings using the following steps:

! -- Generate a new self-signed certificate

WAE-674# crypto generate self-signed-cert WAE-674.p12 rsa modulus 1024
Generating a 1024 bit RSA private key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [San Jose]:
Organization Name (eg, company) [Cisco Systems]:
Organizational Unit Name (eg, section) [ADBU]:
Common Name (eg, YOUR name) [www.cisco.com]:
Email Address [[email protected]]:
Self signed certificate successfully generated
WAE-674# sh cry certificates

Certificate Only Store:

Managed Store:
File: WAE-674.p12                Format: PKCS12
EEC: Subject: C=US/ST=California/L=San Jose/O=Cisco [email protected]
     Issuer: C=US/ST=California/L=San Jose/O=Cisco [email protected]
[email protected]---------------

Local Store:
Machine Self signed Certificate
Format: PKCS12
Subject: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco [email protected]
Issuer: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco [email protected]

Management Service Certificate
Format: PKCS12
EEC:Subject: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco [email protected]
    Issuer: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco [email protected]
The WAAS Self Signed Certificate is being used as the Management Service Certificate

! -- Associate the self-signed certificate with the SSL AO global services
WAE-674# conf
WAE-674(config)# cry ssl services global-settings machine-cert-key WAE-674.p12
WAE-674(config)# end
WAE-674# wr

There is an existing enhancement request (CSCte05426) open to add the ability to replace the factory self-signed certificate.  I'll update the request to include the ability to perform this function from the Central Manager.

If you have any additional questions, please let us know.




This Discussion