Hello guys,
I installed PKI server on cisco router, here is configs,
lab1#show clock
14:34:14.426 EET Tue Sep 21 2010
!
crypto pki server LAB
database level complete
no database archive
issuer-name cn=NOC1
grant auto
lifetime crl 12
lifetime certificate 1
lifetime ca-certificate 5
!
crypto pki trustpoint LAB
query certificate
revocation-check crl
rsakeypair LAB
!
CA cert exipers after 5 days and signed certificate expired after 1 day.
After 5 days, CA certificate expired and I didn't rollover it.
The PKI server is turned off at 15:42:53 EET Sep 18 2010 and I couldn't start it after that.
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=NOC1
Subject:
cn=NOC1
Validity Date:
start date: 15:42:53 EET Sep 13 2010
end date: 15:42:53 EET Sep 18 2010
Associated Trustpoints: LAB
lab1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
lab1(config)#crypto pki server LAB
lab1(cs-server)#no shu
lab1(cs-server)#no shutdown
% CA certificate expired. Cannot enable the Certificate Server.
I manually rolledover CA certificate, but this didn't help,
lab1(cs-server)#crypto pki server LAB ro <------------- rollover CA certificate
lab1#show crypto pki certificates
Certificate <------------------ SHADOW
Status: Available
Certificate Serial Number: 07
Certificate Usage: Signature
Issuer:
cn=NOC1
Subject:
Name: NOC1
cn=NOC1
Validity Date:
start date: 15:42:53 EET Sep 18 2010
end date: 15:42:53 EET Sep 23 2010 Associated Trustpoints: LAB
CA Certificate <---------------------- OLD
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=NOC1
Subject:
cn=NOC1
Validity Date:
start date: 15:42:53 EET Sep 13 2010
end date: 15:42:53 EET Sep 18 2010
Associated Trustpoints: LAB
Why PKI server doesn't use shadow certificate, is it possible to force them using it?
Thanks.