cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2065
Views
0
Helpful
3
Replies

Regenerate and Re-enroll PKI Certificate on IOS CA

susleman
Level 1
Level 1

Hi,

I am just wondering whether thhere is any one can advise me on this. I want to configure Cisco Router as IOS CA Server and when the certificate expired I want to ensure the Cisco IOS CA server is able to re-generate the certificate automatically and all the routers are able automatically re-enroll to this IOS CA server. is this possible ?

thanks

-santo-

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Santo,

Minor misconception here, if I read this correctly.

IOS CA can be configured to autometically grant re-enrollments.

It's every routers responsbility to request a new cert and roll it over.

IOS devices are performing those functions automatically if configured to do so and enrollment to CA was done via SCEP.

M.

hi marcin,

thanks for ur reply. Frankly, I am not really familiar with CA server. I am learning about PKI :-)

here is my IOS CA configuration

here is my router configuration

My problem is, i tried to simulate to expire the certificate by changing the clock beyond the expired date on IOS CA server ( btw, this IOS CA is also as NTP server). I am expecting that the IOS CA will re-genererate a new certificate and this certificate will be distributed to the IOS router.

is my expectation right with the config above ? For the first time, I have no problem generating and distributing the certificate because all manual generation. the All the IOS router is getting the time from NTP server

thanks

-santo-

Santo,

You can check "show crypto pki timer" to see if re-enrollment timer is up and active.

I'm not sure if changing NTP during validity of certificate will matter, unless you have reloaded.

Consider that NTP should be already synced once the original enrollment takes places.

I'm not a big fan of using "regenerate" in TP unless it's really needed.

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: