Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Public CA Certificate lifetime


I'm running PKI network and I've question about the public ca certificate.

My ca-certificate have a lifetime of 2 years. All the certificates generated by the ca server have a 1 year lifetime and they reenroll at 70% of that lifetime. What's the impact of the ca-certificate end or the ca-certificate regenaration. I found that when a spoke will reenroll his certificate, he won't be able to do this if the generated certificate lifetime is greater than the ca-certificate lifetime remaning.

Does someone have documentation about that or have experience the same problem ?

Thank you very much


Re: Public CA Certificate lifetime

Certificate enrollment, which is the process of obtaining a certificate from a certification authority (CA), occurs between the end host requesting the certificate and the CA. Each peer that participates in the public key infrastructure (PKI) must enroll with a CA.For more information on this kindly follow the url,

New Member

Re: Public CA Certificate lifetime

But my Certification Authority (CA) have un public certificate that is used by the authentication process of my spoke. And that public certificate have an expiration date. I want to know the impact of renewing this public certificate ?

But I'll read you pdf to see if I can find something interesting

Thank you very much

New Member

Re: Public CA Certificate lifetime


while not exactly the same problem as yours, it is similar, and here are my findings.

I'm building a VPN for one of my customers, and he insist of using their existing PKI

infrastructure, with root CA and subordinate CA. There was document on CCO that says

that it is preferred to have standalone CA just for network certificates, independent

of existing PKI infrastructure, but I cannot find it anymore.

Root CA certificate is valid for 2 years, after that it is automatically renewed. But,

SCEP don't have support to reauthenticate trustpoint and retrieve new CA certificate.

It can when CA is Cisco IOS CA, but not from MS CA.

Certificates issued by CA are valid for max one year, or to the date when CA certificate

expires. If one doesn't generate new CA certificate, new certificates lifespan would be

shorter and shorter, and all certificates would be void after two years.

But that's not exactly the case. Since root CA certificate is be automatically renewed

before end date, CA would be able to issue new certificates. But, SCEP certificate

need to be generated again, which means that SCEP has to be reinstalled (only way that

I know to generate new SCEP certificate).

Theoretically, if new CA certificate has the same keys as the old one (default on MS CA

when automatic root CA certificate regeneration is used) nothing should stop working.

However, router's certificates are signed with hash that includes not only private key

but also other field from root certificate, including end date. That means that routers

that have certificate signed with old root ca certificate and those that have

certiifcate signed with new root ca certificate won't be able to successfull authenticate.

The only way to overcome this is to remove trustpoint, recreate it, authenticate CA

(and retrieve new root CA certificate), enroll for new certificate.



New Member

Re: Public CA Certificate lifetime

I recently receive informations about an hidden command (auto-rollover) that was introduce in IOS 12.4.

But you must have 12.4 IOS on both side (CA server and customers side).

The CA can generate new root certificate and new key pair, a [period of time] before the expiration of his old certificate. The new certificate and key pair will be store for new SCEP request and SCEP reenrollment request and will take effect the date of the expiration.

I wont be able to check if it will work because I don't have 12.4 IOS on my spokes router.

I'll propably use a temporary PSK policy during the time that I'll start a new PKI architecture with higher lifetime value.

But thank you very much.

p.s. I don't know if you can used a part of that feature with MS-CA.

New Member

Re: Public CA Certificate lifetime

Well, that's what I said :) Routers can

retrieve new root CA certificate when

CA is on IOS router, but not with MS CA.

And, it's not hidden command.