Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PKI server forgot to rollover CA certificate

Hello guys,

I installed PKI server on cisco router, here is configs,

lab1#show clock
14:34:14.426 EET Tue Sep 21 2010

!

crypto pki server LAB

database level complete

no database archive

issuer-name cn=NOC1

grant auto

lifetime crl 12

lifetime certificate 1

lifetime ca-certificate 5

!

crypto pki trustpoint LAB

query certificate

revocation-check crl

rsakeypair LAB

!

CA cert exipers after 5 days and signed certificate expired after 1 day.

After 5 days, CA certificate expired and I didn't rollover it.

The PKI server is turned off at 15:42:53 EET Sep 18 2010 and I couldn't start it after that.

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    cn=NOC1
  Validity Date:
    start date: 15:42:53 EET Sep 13 2010
   end   date: 15:42:53 EET Sep 18 2010
  Associated Trustpoints: LAB

lab1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
lab1(config)#crypto pki server LAB
lab1(cs-server)#no shu
lab1(cs-server)#no shutdown
% CA certificate expired. Cannot enable the Certificate Server.

I manually rolledover CA certificate, but this didn't help,

lab1(cs-server)#crypto pki server LAB ro                <------------- rollover CA certificate

lab1#show crypto pki certificates
Certificate                           <------------------ SHADOW
  Status: Available
  Certificate Serial Number: 07
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    Name: NOC1
    cn=NOC1
  Validity Date:

    start date: 15:42:53 EET Sep 18 2010

    end   date: 15:42:53 EET Sep 23 2010  Associated Trustpoints: LAB
CA Certificate              <---------------------- OLD
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    cn=NOC1
  Validity Date:
    start date: 15:42:53 EET Sep 13 2010
    end   date: 15:42:53 EET Sep 18 2010
  Associated Trustpoints: LAB

Why PKI server doesn't use shadow certificate, is it possible to force them using it?

Thanks.

Everyone's tags (3)
1010
Views
0
Helpful
0
Replies