Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

certifcate end date on router is wrong

We have a DMVPN envirement which is using certificate authentication for the spoke routers.

I want to check the certificate end dates with the certificate check TCL script.

The only issue i have is that the CA certificate shows an end date year of 1903 with the "show crypto pki certificate".

When i copy the certificate to tftp and open it on my pc the end date year is 2039.

 

This happens on all the spoke routers which are different models within the 800 serie.

 

When the script is now running it always send a syslog message that the certificate is expired.

 

I tried updating the IOS and i can't use piping within tcl scripts.

 

How can i solve this issue?

6 REPLIES
Cisco Employee

Hi,This may be a surprising

Hi,

This may be a surprising request but do you believe you could actually post the certificate here? I would like to inspect the specific contents of its Start/End Validity elements. There is a possibility that their value is so much beyond any reasonable date that the IOS probably experiences some kind of overflow.

Best regards,
Peter

New Member

I understand you'd like to

I understand you'd like to analuyse that but i can't post the certificate itself here.

Cisco Employee

Hi,You should understand that

Hi,

You should understand that a certificate is by itself a public document, and there is no reason of keeping it secret, as it cannot be counterfeited (to do that, you would need to steal the private key of the issuing certificate authority or break the RSA cipher - none of that is possible). I am not asking for the certificate owner's private key, only for the certificate itself.

In any case, if your regulations do not allow you to make it public, can you please at least use a decent Linux box and post the output of the following command?

openssl x509 -text -in certificate-filename.pem | grep Not

assuming you have the certificate in the PEM format saved in the certificate-filename.pem file.

Thanks!

Best regards,
Peter

New Member

That command gives the

That command gives the following output:

            Not Before: Mar 11 14:03:41 2009 GMT
            Not After : Mar 11 14:13:38 2039 GMT

Cisco Employee

Hi,Okay. Now, you are saying

Hi,

Okay. Now, you are saying that Cisco devices you are using report the certification expiration date to be placed back at 1903. Do you have an option of creating another certificate whose expiry date is, say, 2015 or 2020, and try importing that one? I really have a feeling that we are dealing here with some kind of integer overflow.

Best regards,
Peter

 

New Member

The certificate for the

The certificate for the authentication process, which has a valid periode of 3 years, is showing the correct year.

 

I'll try to upload an certificate with a longer valid periode and check how the year is being displayed.

92
Views
0
Helpful
6
Replies