Cisco IOS Certificate Server CA root query

Unanswered Question
Jun 2nd, 2010

I am in the middle of labbing a DMVPN environment and after getting it working with PSK, I have got it working with certificates by setting up a Cisco IOS Certificate Server and enrolling all routers.

I have noticed that my router identity certificates seem to auto refresh/enroll their certificates ok, but I am concerned about what is going happen about the validity of the root certificate which has a finite set time.

Can anyone explain what I would need to do to ensure the root CA certificate doesnt expire, or how to replace the root cert without having to delete all the certificates on all routers?

When I check out the options I can configure inside the 'crypto pki server' or '...trustpoint' for the CA, I cant seem to find anything that makes sense, or change anything as its in use.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Wed, 06/02/2010 - 12:21

You're moentioning "rollover" process.

And you have option to automatically rollover ... not sure what you configured "show crypto pki timer" will show you what are active PKI timers... maybe rollover is already there?

I believe you'de be interested in this:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1193946

Actions

This Discussion