VPN between many Pix using W2K CA server and MSCEP - RA certificates renew
We are using for one year now a VPN architecture with few pix and with certificates authentication. These certificates are stored and delivered on a W2K CA server with MSCEP addon installed. (W2K sp3 with MSCEP 5.131.2195.1).
The server is a stand alone CA server and all pix are in 6.2.1 version.
The problem is that the certificates are going to be expired, especially the RA certificate - generated by MSCEP addon installation -.
How can I renew this RA certificate ?
I tried to reinstall the MSCEP addon but that generates a new RA certificate and implies that all tunnels between pix do not work anymore. (RA certificate stored on the pix is different from the new RA stored on the CA server)
How can I renew this RA without installing the MSCEP addon and without modifying existing VPN tunnels ?
Can I modify the expiration time of the RA certificate ? (one year default)
Re: VPN between many Pix using W2K CA server and MSCEP - RA cert
I think you'll need to re-authenticate and re-enroll your devices to renew the RA certificates. Even with expired certificates, the tunnels which have already been established do not go down. In fact for a tunnel which is up and running, valid certs are necessary only for retriving the certificate revocation lists. CRL optional should take care of that. I guess you can re-enroll yourself without disrupting your setup. All the same, it's wiser to do so in the maint window with sufficient heads-up.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :