Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
5
Helpful
1
Replies

ASA Local CA cert, rollover question

charl
Level 1
Level 1

‎04-10-2014 02:58 AM

Syslog alerts to :

Local CA Server certificate is due to expire in x days and a replacement certificate is available for export.

We have about 100 users on AnyConnect VPN.

Hoe doe we ensure that the VPN users are not affected when the current cert expire, and ASA replace current Cert with new self-signed cert?

 

Thanks 

CJ

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Vishnu Sharma
Level 1
Level 1

‎04-10-2014 04:34 AM

Hi CJ,

The expiration time of the CA certificate is monitored via a timer and 30 days prior to its expiration, a rollover/shadow certificate is generated to replace this certificate.  For that period of time, both CA server certificates exist and the shadow certificate is available for export to other ASAs that would need to be able to validate any clients issued by the shadow certificate.  Syslogs are generated within the 30 day period (717049) to report the expiration as it approaches and upon rollover (717041). If the Local CA certificate expires it should automatically renew (auto-rollover), the status of the rollover can be seen in the output of "show crypto ca server". Client certificates issued before the rollover would still be valid providing their expiration date has not passed. However if the Local CA cert is expired (and not rolled over) there is no way to validate the client cert. With rollover there shouldn't be any problems with the Local CA cert expiring, it should replace the old cert when it expires with the new one.

 

I hope this answers your question.

 

Thanks,

Vishnu Sharma

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents