Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
0
Helpful
0
Replies

PKI server forgot to rollover CA certificate

lcat
Level 1
Level 1

‎09-21-2010 05:24 AM

Hello guys,

I installed PKI server on cisco router, here is configs,

lab1#show clock
14:34:14.426 EET Tue Sep 21 2010
!
crypto pki server LAB
 database level complete
 no database archive
 issuer-name cn=NOC1
 grant auto
 lifetime crl 12
 lifetime certificate 1
 lifetime ca-certificate 5
!
crypto pki trustpoint LAB
 query certificate
 revocation-check crl
 rsakeypair LAB
!

CA cert exipers after 5 days and signed certificate expired after 1 day.

After 5 days, CA certificate expired and I didn't rollover it.

The PKI server is turned off at 15:42:53 EET Sep 18 2010 and I couldn't start it after that.

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    cn=NOC1
  Validity Date:
    start date: 15:42:53 EET Sep 13 2010
    end   date: 15:42:53 EET Sep 18 2010
  Associated Trustpoints: LAB
lab1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
lab1(config)#crypto pki server LAB
lab1(cs-server)#no shu
lab1(cs-server)#no shutdown
% CA certificate expired. Cannot enable the Certificate Server.

I manually rolledover CA certificate, but this didn't help,

lab1(cs-server)#crypto pki server LAB ro                <------------- rollover CA certificate
lab1#show crypto pki certificates
Certificate                           <------------------ SHADOW
  Status: Available
  Certificate Serial Number: 07
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    Name: NOC1
    cn=NOC1
  Validity Date:
    start date: 15:42:53 EET Sep 18 2010
    end   date: 15:42:53 EET Sep 23 2010  Associated Trustpoints: LAB
CA Certificate              <---------------------- OLD
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=NOC1
  Subject:
    cn=NOC1
  Validity Date:
    start date: 15:42:53 EET Sep 13 2010
    end   date: 15:42:53 EET Sep 18 2010
  Associated Trustpoints: LAB

Why PKI server doesn't use shadow certificate, is it possible to force them using it?

Thanks.

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents