VPN between many Pix using W2K CA server and MSCEP - RA certificates renew

s.couland · ‎01-22-2003

Hello everybody,

We are using for one year now a VPN architecture with few pix and with certificates authentication. These certificates are stored and delivered on a W2K CA server with MSCEP addon installed. (W2K sp3 with MSCEP 5.131.2195.1).

The server is a stand alone CA server and all pix are in 6.2.1 version.

The problem is that the certificates are going to be expired, especially the RA certificate - generated by MSCEP addon installation -.

How can I renew this RA certificate ?

I tried to reinstall the MSCEP addon but that generates a new RA certificate and implies that all tunnels between pix do not work anymore. (RA certificate stored on the pix is different from the new RA stored on the CA server)

How can I renew this RA without installing the MSCEP addon and without modifying existing VPN tunnels ?

Can I modify the expiration time of the RA certificate ? (one year default)

Thank you for your help.

j-block · ‎01-28-2003

I think you'll need to re-authenticate and re-enroll your devices to renew the RA certificates. Even with expired certificates, the tunnels which have already been established do not go down. In fact for a tunnel which is up and running, valid certs are necessary only for retriving the certificate revocation lists. CRL optional should take care of that. I guess you can re-enroll yourself without disrupting your setup. All the same, it's wiser to do so in the maint window with sufficient heads-up.