Solved: Is there a way to force the router to re-enroll with out bringing the tunnel down?

mguzman4158 · ‎07-28-2010

Hi all,

I have the following configuration:

crypto pki trustpoint mycompany.com
enrollment retry count 5
enrollment retry period 3
enrollment url http://x.x.x.x:80
serial-number none
fqdn routername.mycompany.com
ip-address none
password
subject-name l=Denver,c=US
revocation-check none
auto-enroll 70

Scenario

If the certificate already reached 70 percent of its life time and the router has already tried 5 times to get a new one an failed.

1. Is there a way to know how many times the router has tried to re-enroll?

2. Is there a way to force the router to re-enroll without bringing the tunnels down?

3. If the router already tried, can I increase the auto-enroll to 90 - would this work?

Thank you very much in advance for your replies.

Cheers!

michael.leblanc · ‎07-28-2010

mguzman4158:

Question 1

Output from the following command might indicate re-enrollment failures after they occur.

hq-edg01#sh crypto pki timers

PKI Timers
| 2d 1:59:35.732
| 2d 1:59:35.732 CRL Unable to display CDP
|353d 8:31:22.880 RENEW ca.domain.null

Question 2

This chapter: Configuring Certificate Enrollment for a PKI

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.pdf

... and this chapter: Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv.pdf

... from this book: Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/12_4t/sec_secure_connectivity_12_4t_book.pdf

.. might help.

Question 3

In my opinion, I believe you would be able to re-initiate re-enrollment at a later date by incrementing the percentage argument.

Best Regards,
Mike

View solution in original post

michael.leblanc · ‎07-28-2010