PKI server forgot to rollover CA certificate

Unanswered Question

Hello guys,

I installed PKI server on cisco router, here is configs,

lab1#show clock
14:34:14.426 EET Tue Sep 21 2010

!

crypto pki server LAB

database level complete

no database archive

issuer-name cn=NOC1

grant auto

lifetime crl 12

lifetime certificate 1

lifetime ca-certificate 5

!

crypto pki trustpoint LAB

query certificate

revocation-check crl

rsakeypair LAB

!

CA cert exipers after 5 days and signed certificate expired after 1 day.


After 5 days, CA certificate expired and I didn't rollover it.

The PKI server is turned off at 15:42:53 EET Sep 18 2010 and I couldn't start it after that.

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    cn=NOC1
  Validity Date:
    start date: 15:42:53 EET Sep 13 2010
   end   date: 15:42:53 EET Sep 18 2010
  Associated Trustpoints: LAB


lab1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
lab1(config)#crypto pki server LAB
lab1(cs-server)#no shu
lab1(cs-server)#no shutdown
% CA certificate expired. Cannot enable the Certificate Server.


I manually rolledover CA certificate, but this didn't help,

lab1(cs-server)#crypto pki server LAB ro                <------------- rollover CA certificate

lab1#show crypto pki certificates
Certificate                           <------------------ SHADOW
  Status: Available
  Certificate Serial Number: 07
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    Name: NOC1
    cn=NOC1
  Validity Date:

    start date: 15:42:53 EET Sep 18 2010

    end   date: 15:42:53 EET Sep 23 2010  Associated Trustpoints: LAB
CA Certificate              <---------------------- OLD
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    cn=NOC1
  Validity Date:
    start date: 15:42:53 EET Sep 13 2010
    end   date: 15:42:53 EET Sep 18 2010
  Associated Trustpoints: LAB

Why PKI server doesn't use shadow certificate, is it possible to force them using it?

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content