03-23-2010 10:58 AM
I'm getting this error on a new installed WAE-674 at one of my remote offices. This looks like the local machine self assigned certificate had expired.
Certificate '__waas-self__.p12' is expired. It is configured as machine cert in global settings
Data:
Version: 3 (0x2)
Serial Number: 25 (0x19)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, OU=ADBU, O=Cisco Systems, CN=NO-HOSTNAME/emailAddress=tac@cisco.com
Validity
Not Before: Sep 12 10:18:36 2001 GMT
Not After : Sep 11 10:18:36 2006 GMT
Is there away to have the CM manage all the WAEs certificate? Otherwise in a few years I would have to go to every single WAE to reassign a local certificate. What is the best way to manage it and how do I create a local self assign certificate ?
04-14-2010 08:01 AM
You are seeing this alarm because the factory self-signed certificate has expired. It is currently not possible to replace the factory self-signed certificate. However, you can generate a new self-signed certificate and associate it with the SSL AO global-settings using the following steps:
! -- Generate a new self-signed certificate
WAE-674# crypto generate self-signed-cert WAE-674.p12 rsa modulus 1024
Generating a 1024 bit RSA private key
...............................++++++
......................................++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [San Jose]:
Organization Name (eg, company) [Cisco Systems]:
Organizational Unit Name (eg, section) [ADBU]:
Common Name (eg, YOUR name) [www.cisco.com]:
Email Address [tac@cisco.com]:
Self signed certificate successfully generated
WAE-674#
WAE-674# sh cry certificates
Certificate Only Store:
-----------------------
Managed Store:
--------------
File: WAE-674.p12 Format: PKCS12
EEC: Subject: C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ADBU/CN=www.cisco.com/emailAddress=tac@cisco.com
Issuer: C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ADBU/CN=www.cisco.com/emailAddress=tac@cisco.com
--------------------------------------------------------------------------------
Local Store:
------------
Machine Self signed Certificate
-------------------------------
Format: PKCS12
Subject: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
Issuer: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
Management Service Certificate
------------------------------
Format: PKCS12
EEC:Subject: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
Issuer: C=US/ST=California/L=San Jose/OU=ADBU/O=Cisco Systems/CN=NO-HOSTNAME/emailAddress=tac@cisco.com
The WAAS Self Signed Certificate is being used as the Management Service Certificate
WAE-674#
! -- Associate the self-signed certificate with the SSL AO global services
WAE-674# conf
WAE-674(config)# cry ssl services global-settings machine-cert-key WAE-674.p12
WAE-674(config)# end
WAE-674# wr
WAE-674#
There is an existing enhancement request (CSCte05426) open to add the ability to replace the factory self-signed certificate. I'll update the request to include the ability to perform this function from the Central Manager.
If you have any additional questions, please let us know.
Regards,
Zach
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide