Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 6.3(5) Certificate renewal

Hi

I have a PIX 515E 6.3(5) and I have a problem I simply cannot find an answer for!

We use a certificate for a VPN we have with a 3rd party, and the certificate is due for renewal in the next couple of weeks. The guy that did this originally has left the company and I've never done this before. I'm pretty certain he generated the original certificate request on this firewall.

I have this information (names changed, serials altered, etc):

From config:

ca identity mydomain.com 216.x.x.39:/cgi-bin

ca configure mydomain.com ca 1 20 crloptional

myfirewall# sh ca cert

Certificate

Status: Available

Certificate Serial Number: xxx

Key Usage: General Purpose

Subject Name:

UNSTRUCTURED NAME = myfirewall.mydomain.com + CN = myfirewall.mydomain.com

Validity Date:

start date: 00:00:00 UTC Aug 24 2006

end date: 23:59:59 UTC Aug 24 2007

I've looked at using the ca enroll command but I need to keep this VPN up while the certificate is renewed if possible.

Any help greatly appreciated!

6 REPLIES

Re: PIX 6.3(5) Certificate renewal

The following has to be done on the PIX.

ca zeroize rsa

no ca save all (Now we need to reinstall both CA and identity certs)

ca generate rsa key 512

CA fresh insatllation:

1.ca identity name ip_address:/certsrv/mscep/mscep.dll

2.ca configure name ra 1 3 crloptional

3.ca authenticate name

4. ca enroll name ip_address or password

6. ca save all

http://www.cisco.com/warp/customer/707/lan_to_lan_ipsec_pix_rtr_cert.html

Regards,

~JG

New Member

Re: PIX 6.3(5) Certificate renewal

Thanks for your reply. May I ask a couple more questions?

Will the existing VPN drop during this process?

Normally I use a 1024 bit RSA key, and it is likely this was used before - is that OK?

There's also a 10 year cert which I believe is from the other end of the VPN on this PIX, will that be lost or is it reinstalled from the ca authenticate name command?

myfirewall# sh ca cert

CA Certificate

Status: Available

Certificate Serial Number: xxx

Key Usage: General Purpose

CN = xxxxxxx xxxxxxx

O = xxxxxxx xxxxxxx plc

Validity Date:

start date: 00:00:00 UTC Apr 20 2005

end date: 23:59:59 UTC Apr 19 2015

Thanks again for your help!

New Member

Re: PIX 6.3(5) Certificate renewal

You can use any key you want.

ca generate rsa key 1024

If the other end cert was issue by the same CA you shouldn't any problem because PIX should check the cert against the CA.

New Member

Re: PIX 6.3(5) Certificate renewal

Thanks.

Can you advise if the VPN will stay up during this renewal process?

New Member

Re: PIX 6.3(5) Certificate renewal

I don't think so, since there won't be a cert for the authentication.

Re: PIX 6.3(5) Certificate renewal

It will not able to handle new authentication request. I will suggest to do it during off prod hrs.

Please rate helpful posts

Regards

478
Views
14
Helpful
6
Replies