Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Regenerate and Re-enroll PKI Certificate on IOS CA

Hi,

I am just wondering whether thhere is any one can advise me on this. I want to configure Cisco Router as IOS CA Server and when the certificate expired I want to ensure the Cisco IOS CA server is able to re-generate the certificate automatically and all the routers are able automatically re-enroll to this IOS CA server. is this possible ?

thanks

-santo-

3 REPLIES
Cisco Employee

Regenerate and Re-enroll PKI Certificate on IOS CA

Santo,

Minor misconception here, if I read this correctly.

IOS CA can be configured to autometically grant re-enrollments.

It's every routers responsbility to request a new cert and roll it over.

IOS devices are performing those functions automatically if configured to do so and enrollment to CA was done via SCEP.

M.

New Member

Regenerate and Re-enroll PKI Certificate on IOS CA

hi marcin,

thanks for ur reply. Frankly, I am not really familiar with CA server. I am learning about PKI :-)

here is my IOS CA configuration

here is my router configuration

My problem is, i tried to simulate to expire the certificate by changing the clock beyond the expired date on IOS CA server ( btw, this IOS CA is also as NTP server). I am expecting that the IOS CA will re-genererate a new certificate and this certificate will be distributed to the IOS router.

is my expectation right with the config above ? For the first time, I have no problem generating and distributing the certificate because all manual generation. the All the IOS router is getting the time from NTP server

thanks

-santo-

Cisco Employee

Regenerate and Re-enroll PKI Certificate on IOS CA

Santo,

You can check "show crypto pki timer" to see if re-enrollment timer is up and active.

I'm not sure if changing NTP during validity of certificate will matter, unless you have reloaded.

Consider that NTP should be already synced once the original enrollment takes places.

I'm not a big fan of using "regenerate" in TP unless it's really needed.

M.

702
Views
0
Helpful
3
Replies