Cant seem to renew Cert on PIX - CA and RA Certs have old Dates

stownsend · ‎01-13-2004

I'm trying to renew my cert on my pix with a MS Cert Server.

Te Cert Expired today and all my client connections are failing.

I've tried to renew the cert using the following:

no ca save all

ca zeroize rsa

no ca ident myident

ca generate rsa key 1024

ca identity myident 10.0.0.1:/certsrv/mscep/mscep.dll

ca configure myident ra 1 20

ca authenticate myident

ca enroll myident cisco1

ca save all

When I get to the 'ca authenticate myident' command I can do a 'sh ca cert' and it shows me my old CA Certificate, RA Signature Certificate and RA KeyEncipher Certificates. They all have the old Valid Dates on them...

I've renewed the CA's Cert and its good till 1/12/2005.

On the MS Side of things I'm getting the following Error:

Evernt CertSVC Error 21

Certificate Services could not process request 133 due to an error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495). The request was for CN=firewall.domain.com+ OID.1.2.840.113549.1.9.2=firewall.domain.com.

Any Suggestions?

Thanks,

Scott<-

j-block · ‎01-22-2004

One think you can check for is that the department or organizational unit (OU) corresponds to the VPN Client group name, as configured in the PIX vpngroup name.