Cisco Support Community
Community Member

ASA Local CA cert, rollover question

Syslog alerts to :

Local CA Server certificate is due to expire in x days and a replacement certificate is available for export.

We have about 100 users on AnyConnect VPN.

Hoe doe we ensure that the VPN users are not affected when the current cert expire, and ASA replace current Cert with new self-signed cert?




Everyone's tags (1)

Hi CJ,If the Local CA

Hi CJ,

The expiration time of the CA certificate is monitored via a timer and 30 days prior to its expiration, a rollover/shadow certificate is generated to replace this certificate.  For that period of time, both CA server certificates exist and the shadow certificate is available for export to other ASAs that would need to be able to validate any clients issued by the shadow certificate.  Syslogs are generated within the 30 day period (717049) to report the expiration as it approaches and upon rollover (717041). If the Local CA certificate expires it should automatically renew (auto-rollover), the status of the rollover can be seen in the output of "show crypto ca server". Client certificates issued before the rollover would still be valid providing their expiration date has not passed. However if the Local CA cert is expired (and not rolled over) there is no way to validate the client cert. With rollover there shouldn't be any problems with the Local CA cert expiring, it should replace the old cert when it expires with the new one.


I hope this answers your question.



Vishnu Sharma

CreatePlease to create content