Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trustpool expiration on 3750-X

Hi,

few days ago, we received these logs from a 3750-X stack (IOS version 15.0(2)SE2):

Mar  8 11:11:52.680: %PKI-4-TRUSTPOOL_EXPIRATION_WARNING: The Trustpool will expire in 20 days

Mar  8 11:11:52.680: %PKI-4-TRUSTPOOL_AUTO_UPDATE_DISABLED: Auto-trustpool update is disabled.

if I look the documentation "PKI Trustpool Management" , it's wrote:

The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions.....   The PKI trustpool timer matches the CA certificate with the earliest expiration time. If the timer is running and a bundle location is not configured and not explicitly disabled, syslog warnings are issued to alert the administrator that the PKI trustpool policy option is not set.

PKI Trustpool Management is enabled by default... But, it's possible to disable it ? if yes, how ?

because we don't use "https server" on our 3750-X, I think that isn't necessary to use "PKI Trustpool"... correct ?

thanks a lot for your help

best regards

Sam

  • LAN Switching and Routing
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

It can be ignored. My router

It can be ignored. My router is working without problems.

6 REPLIES
New Member

I have the same

I have the same problem

trustpool will expire 2028 and the switch starts complaining today 

Oct 26 14:22:08.937 MEST: %PKI-4-TRUSTPOOL_EXPIRATION_WARNING: The Trustpool will expire in 20 days.

 

Does anything stop working in 20 days ??

 

switch#show crypto pki trustpool policy
Load for five secs: 35%/0%; one minute: 28%; five minutes: 29%
Time source is NTP, 11:44:56.719 MET Mon Oct 27 2014

Trustpool Policy

   Chain validation will stop at the first CA certificate in the pool
   Trustpool CA certificates will expire 01:59:59 MEST Aug 3 2028

New Member

It can be ignored. My router

It can be ignored. My router is working without problems.

New Member

It is possible to update the

It is possible to update the Trustpool certificates following the procedure indicated in the following document,

 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-pki-trustpool-mgmt.html

 

The command to update the certificates is:

Router(config)# crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

 

New Member

The command works, however I

The command works, however I went from 4 certs to 142 certs. And they have crazy expiration dates:

    start date: 10:25:36 EDT Dec 18 2012
    end   date: 04:27:20 EDT Nov 12 1901

    start date: 05:06:56 MDT Jul 19 2012
    end   date: 22:38:40 MDT Jun 12 1906

    start date: 20:00:00 MDT Sep 30 1999
    end   date: 13:31:43 MDT Jun 10 1900

etc.

Can someone let us know if this is a best practice to issue this command on our production devices?

New Member

This fixes crazy expiration

This fixes crazy expiration dates:

#test crypto pki trustpool reset

New Member

It fixed that. Should I still

It fixed that. Should I still show expirations?

C2921-TestRouter-HQ#sho crypto pki trustpool       
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 00E91C61EC059B9DD0
  Certificate Usage: General Purpose
  Issuer:
    e=sbtg-noc@cisco.com
    cn=OnPlus Root CA
    ou=SBTG
    o=Cisco Systems Inc.
    l=Richardson
    st=TX
    c=US
  Subject:
    e=sbtg-noc@cisco.com
    cn=OnPlus Root CA
    ou=SBTG
    o=Cisco Systems Inc.
    l=Richardson
    st=TX
    c=US
  Validity Date:
    start date: 19:59:30 MDT Oct 9 2012
    end   date: 19:59:30 MDT Sep 30 2014
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (4096 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: AB8A86B3 921B119C 4E41E18A 27C333B7
  Fingerprint SHA1: BFEA0861 7B7E5D83 8CEA6763 9CCD4F11 0757A9E6
  X509v3 extensions:
    X509v3 Subject Key ID: 2CFBCBC5 7D021FB1 E2D80E08 162714CA 0EE14235
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 2CFBCBC5 7D021FB1 E2D80E08 162714CA 0EE14235
    Authority Info Access:
  Associated Trustpoints: Trustpool
  Trustpool: Built-In

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 0A0141420000012BD040B46700000002
  Certificate Usage: Signature
  Issuer:
    cn=DST Root CA X3
    o=Digital Signature Trust Co.
  Subject:
    cn=Cisco SSCA2
    o=Cisco Systems
  CRL Distribution Points:
    http://crl.identrust.com/DSTROOTCAX3.crl
  Validity Date:
    start date: 15:25:22 MDT Oct 21 2010
    end   date: 15:25:22 MDT Oct 22 2015
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: 95FBA1E4 32EC168D 90A86611 A1140656
  Fingerprint SHA1: F72A68DE 062A0C3B 198FAB1C BC87678B 1183CBC6
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: C7B01008 2FF0185F 1F904A4B 2A47AA0B 575FA4BB
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: C4A7B1A4 7B2C71FA DBE14B90 75FFC415 60858910
    Authority Info Access:
        OCSP URL: http://ocspts.identrust.com
    X509v3 CertificatePolicies:
        Policy: 1.3.6.1.4.1.9.21.1.1.0
            Qualifier ID: 1.3.6.1.5.5.7.2.1
            Qualifier Info: http://www.cisco.com/security/pki/policies/index.html
    Extended Key Usage:
        1.3.6.1.4.1.311.21.6
        1.3.6.1.4.1.311.20.2.1
        1.3.6.1.4.1.311.10.3.9
        1.3.6.1.4.1.311.10.3.1
        OCSP Signing
        Time Stamping
        IPSEC User
        IPSEC Tunnel
        IPSEC End System
        Email Protection
        Code Signing
        Client Auth
        Server Auth
  Associated Trustpoints: Trustpool
  Trustpool: Built-In

Thanks for your reply.

6
Views
5
Helpful
6
Replies
This widget could not be displayed.