05-14-2012 11:38 AM
i have configured a cisco router with the following configuration to practice obtaining
certificates from a microsoft 2008 server configured as a stand alone CA.
this part works okay but what i am trying to do next is giving me a headache
i am trying to delete the identity certificate but am having no luck whatsoever
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat outside
no shut
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shut
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
hostname Purley
ip domain-name acme.com
crypto key generate rsa general-keys
crypto ca trustpoint Purley
enrollment terminal
crl optional
enrollment retry period 1
enrollment retry count 10
subject-name cn=purley.acme.com, ou=sales, o=acme ltd, l=purley, st=surrey, c=GB
exit
crypto ca authenticate Purley
crypto ca enroll Purley
crypto ca import Purley certificate
crypto isakmp enable
crypto isakmp identity hostname
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
set peer 192.168.2.2
set transform-set BOSTON
match address 101
route-map nonat permit 10
match ip address 102
ip nat inside source route-map nonat interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.2.2
interface FastEthernet0/0
crypto map VPN
copy run start
Purley#show crypto ca certificate
Certificate
Status: Available
Certificate Serial Number: 61E0446A000000000002
Certificate Usage: General Purpose
Issuer:
cn=WIN-SQV1ABKN6Q4-CA
dc=ACME
dc=COM
Subject:
Name: purley.acme.com
cn=purley.acme.com
ou=sales
o=acme ltd
l=purley
st=surrey
c=GB
CRL Distribution Point:
file://WIN-SQV1ABKN6Q4/CertEnroll/WIN-SQV1ABKN6Q4-CA.crl
Validity Date:
start date: 14:46:13 UTC May 14 2012
end date: 14:56:13 UTC May 14 2013
Associated Trustpoints: Purley
CA Certificate
Status: Available
Certificate Serial Number: 222F01C2CED6A5B94F83A17D00339E6B
Certificate Usage: Signature
Issuer:
cn=WIN-SQV1ABKN6Q4-CA
dc=ACME
dc=COM
Subject:
cn=WIN-SQV1ABKN6Q4-CA
dc=ACME
dc=COM
Validity Date:
start date: 12:48:03 UTC May 14 2012
end date: 12:58:02 UTC May 14 2017
Associated Trustpoints: Purley
i entered the following commands on the router to delete the certificate
but as you can see its telling me the certificate dosn't exist
(this method of deleting the cert has come from Richard Deals
complete cisco vpn configuration guide)
Purley(config)#crypto ca certificate chain Purley
Purley(config-cert-chain)#no certificate 61E0446A000000000002
% Certificate not found.
has anyone any ideas as i am stumpted
Regards
Melvyn brown
ps the router is a 3640 running c3640-jk9o3s-mz.124-7.bin
05-14-2012 10:34 PM
To delete the certificate, the following is the command:
no crypto ca trustpoint Purley
Hope that helps.
12-21-2017 01:38 AM
no crypto pki certificate chain <CA Server Name>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: