Regenerate and Re-enroll PKI Certificate on IOS CA

Unanswered Question
Mar 1st, 2012


I am just wondering whether thhere is any one can advise me on this. I want to configure Cisco Router as IOS CA Server and when the certificate expired I want to ensure the Cisco IOS CA server is able to re-generate the certificate automatically and all the routers are able automatically re-enroll to this IOS CA server. is this possible ?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Fri, 03/02/2012 - 01:42


Minor misconception here, if I read this correctly.

IOS CA can be configured to autometically grant re-enrollments.

It's every routers responsbility to request a new cert and roll it over.

IOS devices are performing those functions automatically if configured to do so and enrollment to CA was done via SCEP.


susleman Fri, 03/02/2012 - 02:01

hi marcin,

thanks for ur reply. Frankly, I am not really familiar with CA server. I am learning about PKI :-)

here is my IOS CA configuration

here is my router configuration

My problem is, i tried to simulate to expire the certificate by changing the clock beyond the expired date on IOS CA server ( btw, this IOS CA is also as NTP server). I am expecting that the IOS CA will re-genererate a new certificate and this certificate will be distributed to the IOS router.

is my expectation right with the config above ? For the first time, I have no problem generating and distributing the certificate because all manual generation. the All the IOS router is getting the time from NTP server



Marcin Latosiewicz Fri, 03/02/2012 - 02:12


You can check "show crypto pki timer" to see if re-enrollment timer is up and active.

I'm not sure if changing NTP during validity of certificate will matter, unless you have reloaded.

Consider that NTP should be already synced once the original enrollment takes places.

I'm not a big fan of using "regenerate" in TP unless it's really needed.



This Discussion