WAAS - Certificate '__waas-self__.p12' is expired.

johng231 · ‎03-23-2010

I'm getting this error on a new installed WAE-674 at one of my remote offices. This looks like the local machine self assigned certificate had expired.

Certificate '__waas-self__.p12' is expired. It is configured as machine cert in global settings

    Data:
        Version: 3 (0x2)
        Serial Number: 25 (0x19)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=San Jose, OU=ADBU, O=Cisco Systems, CN=NO-HOSTNAME/emailAddress=tac@cisco.com
        Validity
            Not Before: Sep 12 10:18:36 2001 GMT
            Not After : Sep 11 10:18:36 2006 GMT

Is there away to have the CM manage all the WAEs certificate? Otherwise in a few years I would have to go to every single WAE to reassign a local certificate. What is the best way to manage it and how do I create a local self assign certificate ?

Zach Seils · ‎04-14-2010

You are seeing this alarm because the factory self-signed certificate has expired. It is currently not possible to replace the factory self-signed certificate. However, you can generate a new self-signed certificate and associate it with the SSL AO global-settings using the following steps:

! -- Generate a new self-signed certificate

WAE-674# crypto generate self-signed-cert WAE-674.p12 rsa modulus 1024
Generating a 1024 bit RSA private key
...............................++++++
......................................++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [San Jose]:
Organization Name (eg, company) [Cisco Systems]:
Organizational Unit Name (eg, section) [ADBU]:
Common Name (eg, YOUR name) [www.cisco.com]:
Email Address [tac@cisco.com]:
Self signed certificate successfully generated
WAE-674#
WAE-674# sh cry certificates

Certificate Only Store:
-----------------------

Managed Store:
--------------
File: WAE-674.p12                Format: PKCS12
EEC: Subject: C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ADBU/CN=www.cisco.com/emailAddress=tac@cisco.com
     Issuer: C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ADBU/CN=www.cisco.com/emailAddress=tac@cisco.com
--------------------------------------------------------------------------------

Local Store:
------------
Machine Self signed Certificate
-------------------------------
Format: PKCS12
Subject: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
Issuer: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com

Management Service Certificate
------------------------------
Format: PKCS12
EEC:Subject: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
    Issuer: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
The WAAS Self Signed Certificate is being used as the Management Service Certificate
WAE-674#

! -- Associate the self-signed certificate with the SSL AO global services
WAE-674# conf
WAE-674(config)# cry ssl services global-settings machine-cert-key WAE-674.p12
WAE-674(config)# end
WAE-674# wr
WAE-674#

There is an existing enhancement request (CSCte05426) open to add the ability to replace the factory self-signed certificate. I'll update the request to include the ability to perform this function from the Central Manager.

If you have any additional questions, please let us know.

Regards,

Zach