I have a problem with the Local CA Server on an ASA5510, 8.2(1)11.
The Local CA Server creates user certificate that are used for client VPN authentication.
Now the expiry date for the root CA is coming up and the Rollover certificates has been created automatically.
New user enrollment and user authentication is working.
The CA certificate is configured with a lifetime of 1 days for testing.
But after a reboot the Local CA Server fails to start, here are the messages:
Before the reboot:
ASA54510# sh cryp ca server
Certificate Server LOCAL-CA-SERVER: Status: enabled State: enabled Server's configuration is locked (enter "shutdown" to unlock it) Issuer name: CN=ASA54510 CA certificate fingerprint/thumbprint: (MD5) 3b392567 17eeeb6f 5913145c 3da29098 CA certificate fingerprint/thumbprint: (SHA1) 96173fa7 514811bb dd12ff41 b393ca84 929390bd Last certificate issued serial number: 0x3 CA certificate expiration timer: 21:15:36 CEST Nov 20 2011 CRL NextUpdate timer: 15:14:37 CEST Nov 20 2011 Current primary storage dir: flash:/LOCAL-CA-SERVER/
Rollover status: available for rollover Rollover CA certificate fingerprint/thumbprint: (MD5) d8a91164 c36d57ff de74a2ba 01c35cf6 Rollover CA certificate fingerprint/thumbprint: (SHA1) e0c1f49b c27437e5 e6e1c01e 49d5dc20 7fa5dbf2 Rollover CA certificate expiration time: 21:15:36 CEST Nov 21 2011 Auto-Rollover configured, overlap period 30 days ASA54510#
After the Reboot, time of boot is 11:01:00 Nov 20 2011, so before expiration of CA certificate
ASA54510# sh crypto ca server
Certificate Server LOCAL-CA-SERVER: Status: disabled, Failed to validate selfsigned CA certificate State: initial Server's configuration is unlocked (enter "no shutdown" to lock it) Issuer name: CN=ASA54510 CA certificate fingerprint/thumbprint: (MD5) d8a91164 c36d57ff de74a2ba 01c35cf6 CA certificate fingerprint/thumbprint: (SHA1) e0c1f49b c27437e5 e6e1c01e 49d5dc20 7fa5dbf2
Last certificate issued serial number: 0x0 CA certificate expiration timer: 01:00:00 CEST Jan 1 1970 CRL not present. Current primary storage dir: flash:/LOCAL-CA-SERVER/
Auto-Rollover configured, overlap period 30 days ASA54510#
User enrollment is not working anymore, user authentication is still working.
The CA certificates fingerprints in the second output matches the rollover certificate's from the first output, but the expiration time does not match.
I hope somebody can explain how this is happening and what to do to avoid that.
I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :