https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756652#M1034125 <HTML><HEAD></HEAD><BODY><P>Well I upgraded to 12.4(16)LD and there is no change in my results. If I remove the revocation-check then it authenticates properly.</P><P></P><P>Of course that's lame though because without that my revoked certificates will not be denied access.</P></BODY></HTML> Tue, 10 Jul 2007 16:54:34 GMT mlipsey 2007-07-10T16:54:34Z https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756649#M1034122 <P>I'm doing a proof of concept using Cisco's IOS CA Server to do our DMVPN authentication. When I use a stand alone CA Server this stuff works great but that doesn't have any "redundancy" in it were we to have a failure. So we want to use the subordinate ca server architecture so that we can have 2 servers available. the other option is an RA server.</P><P></P><P>I have seen both of these options work but in my proof of concept I have never been able to get the Subordinate CA to work correctly and the RA mode I was able to get to work but after a few hours it would mysteriously stop working (I haven't opend a TAC case on the RA problems yet).</P><P></P><P>Anyway, I've got a TAC case opened and they walked me through this last week. I took extensive notes, their process was not without problems but eventually we got it working in Subordinate CA mode. Okay, it works - I've seen it. I attempted to recreate it afterwords using my notes and the CCO documentation and it doesn't work. My DMVPN hub says the client's cert is "bad."</P><P></P><P>My debugging isn't very helpful the run down of my configuration is attached as text.</P><P></P><P>Now, here are my steps:</P><P></P><P>On the Root CA, I generate a general key, export it out to nvram and then reimport it non-exportable. Then I create the CA configuration which generates the Root CA certificate.</P><P></P><P>Next I move on to the Subordinate, create its general rsa key, export and reimport it non-exportable.</P><P></P><P>Then I create the ca server on it in "sub-cs" mode. It gets generates a "Subordinate-CA" certificate request which I then have to go approve on the Root CA server.</P><P></P><P>Next I move on to the DMVPN Hub router. I generate its rsa general key, export and then re import. Then I create the Root trustpoint and authenticate to it to retrieve the Root Certificate. Then I add the subordinate-ca trustpoint and authenticate to it, then enroll in it. Should be done there - usually goes off without a hitch.</P><P></P><P>Last is the DMVPN Client router; same process as above to be honest.</P><P></P><P>Once that is complete - everyone has a certificate and the DMVPN tunnel attempts to authenticate; the DMVPN hub tries to check the crl on the subordinate CA server and it says it fails and that it is a bad certificate.</P><P></P><P></P><P> </P><P></P> Fri, 21 Feb 2020 09:35:56 GMT https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756649#M1034122 mlipsey 2020-02-21T09:35:56Z https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756650#M1034123 <HTML><HEAD></HEAD><BODY><P>Incidentally this is my primary source for documentation of this process:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/ps6441/products_configuration_guide_chapter09186a008051eafa.html#wp1144411" target="_blank">http://www.cisco.com/en/US/customer/products/ps6441/products_configuration_guide_chapter09186a008051eafa.html#wp1144411</A></P></BODY></HTML> Mon, 09 Jul 2007 23:12:23 GMT https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756650#M1034123 mlipsey 2007-07-09T23:12:23Z https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756651#M1034124 <HTML><HEAD></HEAD><BODY><P>I've just found some notes here:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/ps6660/products_white_paper0900aecd805249e3.shtml" target="_blank">http://www.cisco.com/en/US/customer/products/ps6660/products_white_paper0900aecd805249e3.shtml</A></P><P></P><P>They indicate that I may need to be using 12.4(11)T or better to get the Sub-CA thing working properly.</P><P></P><P>I'll try that tomorrow...</P></BODY></HTML> Mon, 09 Jul 2007 23:38:39 GMT https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756651#M1034124 mlipsey 2007-07-09T23:38:39Z https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756652#M1034125 <HTML><HEAD></HEAD><BODY><P>Well I upgraded to 12.4(16)LD and there is no change in my results. If I remove the revocation-check then it authenticates properly.</P><P></P><P>Of course that's lame though because without that my revoked certificates will not be denied access.</P></BODY></HTML> Tue, 10 Jul 2007 16:54:34 GMT https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756652#M1034125 mlipsey 2007-07-10T16:54:34Z https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756653#M1034126 <P>Try to change the trustpoint names on the DMVPN routers to something completely different than what you have used for the Root CA and the SubCA</P> Wed, 31 Aug 2016 06:42:58 GMT https://community.cisco.com/t5/network-security/ios-ca-server-subordinate-ca-server-problems/m-p/756653#M1034126 amhashem 2016-08-31T06:42:58Z