Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PKI certificate renew date field not showing

Hi,

My router (Cisco 3825 15.0(1)M6) configured to auto entoll after 60% of the validity of the certificates.

The renew date field is not showing in  the 'show crypto pki certificates.

Can you please advise what is the problem as I didn't find any related bug? On the other routers (Cisco 2911 15.0(1)M5, Cisco ASR 1002 15.3(2)S)

same issue.I tried to remove the trustpoint, and readd it but it didn't resolve the problem! May be problem in CA (Win 2008 R2 Standalone Root)?

10 REPLIES
Cisco Employee

PKI certificate renew date field not showing

If you enrolled via SCEP the renew timer should have started in "show crypto pki time".

If it's not there consider opening up a TAC case. 

New Member

Re: PKI certificate renew date field not showing

Thanks for answer, Marcin.

Output show crypto pki time:

Router#show crypto pki time

PKI Timers

|     4:13:22.928 

  |     4:13:22.928  SHADOW CAROOT

  |    13:09:46.648  CRL Unable to display CDP

  |313d17:31:32.936  SHADOW SubCa

"CRL Unable to display CDP" is it ok or not?

Marcin, my router can renew certificate only after reloading. My goal is to do it wihout reloading.

Cisco Employee

Re: PKI certificate renew date field not showing

We've had a few similar problems in the past, e.g.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuh71381 (this one is quite the opposite)

Your CA and subCA certs are going to be refereshes but not the identity.

CRL timer, might be due to malformed/unexpected CDP URL.

The problem (with renew timers) typically comes down to calculating lifetime, and it highly dependent on your certs. Open up a TAC case, let's have a look deeper. 

New Member

Re: PKI certificate renew date field not showing

Unfortunatelly, I haven't got any contract number to open TAC case. I tried to enroll certificate from CA manually  and there was following in debug crypto pki Message and Transaction:

CRYPTO-PKI: Server returned capabilities: 4

Do you know what does it mean?

Cisco Employee

PKI certificate renew date field not showing

That debug is indicating amount of CA capabilities returened:

http://tools.ietf.org/html/draft-nourse-scep-23#page-40

M.

New Member

Re: PKI certificate renew date field not showing

Marcin, if there is only this message  from debug output and RootCA shows no logs, how to troubleshoot this problem? Mb any additional debug command will help me?

Cisco Employee

Re: PKI certificate renew date field not showing

debug cry pki m

debug crypto pki t

debug crypto pki A

are the typical minimums.

Remove the trustpoint carrying the identity cert, and revoke the certs.

Authenticate (first!) and enroll the trustpoint, watch the debugs.

New Member

Re: PKI certificate renew date field not showing

If I do it, everything works fine.The problem appears when I try to test auto-enrollment.

1) In trustpoint configuration I enter command auto-enroll 15 regenerate, after that in console I see the following:

CRYPTO_PKI: Setting renewal timers

But where can I find these new timers?

2) Can I reenroll certificate before this lifetime will expire? I have valid certificate and I tried to renew it with command

crypto pki enroll RootCA

but nothing happened, is it normal or not?

Cisco Employee

Re: PKI certificate renew date field not showing

1) those should be the crypto pki timers I indicated before.

check

http://www.cisco.com/en/US/tech/tk1132/technologies_tech_note09186a0080c0debe.shtml

There's a section there using auto-enrollment.

2) AFAIR you can only rollover the CA cert during normal opration.

BTW before you go further check the basics - time. Make sure you have good time set and you're updating calendar.

Mind that I do not know your PKI, there's tons of questions and factors.

I don't particually see a reason do enroll to your rootCA unless you're planning to have this router acting as subCA, which is not the case.

I think you meant to chain those trustpoints and not enroll root? Unless "RootCA" is just a name?

You see what I mean? :-)

New Member

Re: PKI certificate renew date field not showing

1) Yes, I've read this guide, but there is a description of Cisco IOS CA Server but I have Win 2008 R2 SP1 as RootCA.

2) Yes, my time is sinchronized between Router and RootCA, on router I enter command clock calendar-valid.

I think basics check is ok, cause I can enroll certificate for the first time.

This staging. I have only 1 RootCA and 2 Cisco Routers (3825 and 2911). No SubCa. Yes RootCA is the name of trustpoint.

In debug I see new message while trying manually to reenrol certificate (crypto pki enroll RootCA):

CRYPTO_PKI: Begin shadow operation - skip current enrollment

PKI: Shadow state for MCSM1ROOT now NOSTATE

CRYPTO_PKI: Capabilites already obtained 80000004

PKI: Shadow state for MCSM1ROOT now NOT_SUPPORTED

CRYPTO_PKI: Setting renewal timers

PKI:get_cert MCSM1ROOT 0x10 (expired=0):

PKI:get_cert MCSM1ROOT 0x4 (expired=0):

Do you know what does it mean?

675
Views
15
Helpful
10
Replies
CreatePlease to create content