Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN - Certificates don't auto-renew


I have a DMVPN with RSA certs (and an internal IOS CA Server on a router) that have been up for many months, however, recently, the spoke certs have started expiring. Since auto-renew is enabled, I granted the "pending" certs on the CA server but the spokes never were able to obatin their new certs even though the VPN tunnels were still up. Eventually, I ran out of time for troubleshooting and all tunnels expired and were torn down due to IKE failures because of expired certs.

Any idea why granting the certs didn't have any effect?



Re: DMVPN - Certificates don't auto-renew

Some certificate authorities require you to generate a new key pair to renew a certificate, while other certificate authorities allow you to use the key pair of the expiring certificate to renew a certificate. Also note that some CA server requires new key being generated when renewing a certificate.

New Member

Re: DMVPN - Certificates don't auto-renew

For an IOS CA Server running 12.4(11)T3/ADV SECURITY... what would I need to check to verify this is the case? I followed the SRND and never saw anything related to rekeying.

Also, wouldn't a rekey on a remote client be disruptive? I mean, if it's seamless and the tunnels stay up... I am fine with it. However, otherwise, I'd have to find alternatives.

Thanks very much for your response!