Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco IOS Certificate Server CA root query

I am in the middle of labbing a DMVPN environment and after getting it working with PSK, I have got it working with certificates by setting up a Cisco IOS Certificate Server and enrolling all routers.

I have noticed that my router identity certificates seem to auto refresh/enroll their certificates ok, but I am concerned about what is going happen about the validity of the root certificate which has a finite set time.

Can anyone explain what I would need to do to ensure the root CA certificate doesnt expire, or how to replace the root cert without having to delete all the certificates on all routers?

When I check out the options I can configure inside the 'crypto pki server' or '...trustpoint' for the CA, I cant seem to find anything that makes sense, or change anything as its in use.

Cisco Employee

Re: Cisco IOS Certificate Server CA root query

You're moentioning "rollover" process.

And you have option to automatically rollover ... not sure what you configured "show crypto pki timer" will show you what are active PKI timers... maybe rollover is already there?

I believe you'de be interested in this:

CreatePlease login to create content