But my Certification Authority (CA) have un public certificate that is used by the authentication process of my spoke. And that public certificate have an expiration date. I want to know the impact of renewing this public certificate ?

But I'll read you pdf to see if I can find something interesting

Thank you very much

Hi,

while not exactly the same problem as yours, it is similar, and here are my findings.

I'm building a VPN for one of my customers, and he insist of using their existing PKI

infrastructure, with root CA and subordinate CA. There was document on CCO that says

that it is preferred to have standalone CA just for network certificates, independent

of existing PKI infrastructure, but I cannot find it anymore.

Root CA certificate is valid for 2 years, after that it is automatically renewed. But,

SCEP don't have support to reauthenticate trustpoint and retrieve new CA certificate.

It can when CA is Cisco IOS CA, but not from MS CA.

Certificates issued by CA are valid for max one year, or to the date when CA certificate

expires. If one doesn't generate new CA certificate, new certificates lifespan would be

shorter and shorter, and all certificates would be void after two years.

But that's not exactly the case. Since root CA certificate is be automatically renewed

before end date, CA would be able to issue new certificates. But, SCEP certificate

need to be generated again, which means that SCEP has to be reinstalled (only way that

I know to generate new SCEP certificate).

Theoretically, if new CA certificate has the same keys as the old one (default on MS CA

when automatic root CA certificate regeneration is used) nothing should stop working.

However, router's certificates are signed with hash that includes not only private key

but also other field from root certificate, including end date. That means that routers

that have certificate signed with old root ca certificate and those that have

certiifcate signed with new root ca certificate won't be able to successfull authenticate.

The only way to overcome this is to remove trustpoint, recreate it, authenticate CA

(and retrieve new root CA certificate), enroll for new certificate.

Regards,

Sasa

I recently receive informations about an hidden command (auto-rollover) that was introduce in IOS 12.4.

But you must have 12.4 IOS on both side (CA server and customers side).

The CA can generate new root certificate and new key pair, a [period of time] before the expiration of his old certificate. The new certificate and key pair will be store for new SCEP request and SCEP reenrollment request and will take effect the date of the expiration.

I wont be able to check if it will work because I don't have 12.4 IOS on my spokes router.

I'll propably use a temporary PSK policy during the time that I'll start a new PKI architecture with higher lifetime value.

But thank you very much.

p.s. I don't know if you can used a part of that feature with MS-CA.

Well, that's what I said :) Routers can

retrieve new root CA certificate when

CA is on IOS router, but not with MS CA.

And, it's not hidden command.

Regards,

Sasa