Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE MOD20 A2(3.0) Can't seem to get rid of expired CERTs.

I created expired certs.  Did my setup.  Everything is working, but found that I had created the certs with expired CERTS.

I recreated the certs for a future date.  I do a sh crypto cert all.  They show the proper day.  Tested it with a broswer and it is the old dates.  

I remove the policy multi

                          no class

                          no class

                          no ssl prox

                          no ssl prox

Re imported the cert and configs and still show the old dates. 

Unfortually this is in Operations and I can't reboot.          

Everyone's tags (5)
2 REPLIES

Re: ACE MOD20 A2(3.0) Can't seem to get rid of expired CERTs.

Hi Cecil,

Did you try to remove all the old certificates from the ssl-proxy server and also from the configuration like this:

# crypto delete MYRASKEY.PEM

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/ssl/guide/certkeys.html

can you show #show crypto crl all and #show crypto files?

Jorge

Re: ACE MOD20 A2(3.0) Can't seem to get rid of expired CERTs.

You can try this as well.

#############################################################################################

-Make sure new certificates were updated in the standby as well

-Manually toggle the ft to synchronize the certificates:

ACE-71/Admin(config)# no ft auto-sync running-config

ACE-71/Admin(config)# no ft auto-sync startup-config

ACE-71/Admin(config)# ft auto-sync running-config

ACE-71/Admin(config)# ft auto-sync startup-config

-Check the validity of the certificate and the key like this:

# crypto verify tac-key tac-cert

Keypair in tac-key matches certificate in tac-cert.

-finally you can bounce the ssl proxy service and that updates the certificates in the browser

#############################################################################################

Jorge

271
Views
0
Helpful
2
Replies