I have the following configuration:
crypto pki trustpoint mycompany.com
enrollment retry count 5
enrollment retry period 3
enrollment url http://x.x.x.x:80
If the certificate already reached 70 percent of its life time and the router has already tried 5 times to get a new one an failed.
1. Is there a way to know how many times the router has tried to re-enroll?
2. Is there a way to force the router to re-enroll without bringing the tunnels down?
3. If the router already tried, can I increase the auto-enroll to 90 - would this work?
Thank you very much in advance for your replies.
Output from the following command might indicate re-enrollment failures after they occur.
hq-edg01#sh crypto pki timers
| 2d 1:59:35.732
| 2d 1:59:35.732 CRL Unable to display CDP
|353d 8:31:22.880 RENEW ca.domain.null
This chapter: Configuring Certificate Enrollment for a PKI
... and this chapter: Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
... from this book: Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T
.. might help.
In my opinion, I believe you would be able to re-initiate re-enrollment at a later date by incrementing the percentage argument.