Re: PKI CERT RENEW FAIL

matias-silva · ‎08-25-2025

I use DNAC in an enterprise network and have a C9200 switch running version 17.09.04a with the CAT9K_LITE_IOSXE image, which reboots every few hours. I reviewed the issue and suspected it might be related to telemetry, so I resynchronized the device and forced telemetry updates from DNA Center. When I ran the show crypto pki counter command, I noticed that the CRL check fails. However, after repeating the procedure, I observed that other C9200 switches — which are not experiencing any issues — also show the same logs: "CRL - failed attempts: 45". These switches have the same configurations and full connectivity to the server.

SW5_ACCESO
PKI Sessions Started: 81
PKI Sessions Ended: 81
PKI Sessions Active: 0
Successful Validations: 3
Failed Validations: 0
Bypassed Validations: 0
Pending Validations: 0
CRLs checked: 3
CRL - fetch attempts: 4
CRL - failed attempts: 3
CRL - rejected busy fetching: 0
AAA authorizations: 0

Uptime for this control processor is 23 hours, 20 minutes
System returned to ROM by Power Failure or Unknown
System restarted at 11:42:24 UTC Sun Aug 24 2025

Aug 24 12:03:47: %PKI-2-CERT_RENEW_FAIL: Certificate renewal failed for trustpoint sdn-network-infra-iwan
Aug 24 12:03:47: %PKI-6-AUTOCERTFAIL: Certificate (re)enrollment failed. Delaying before retry

*Aug 24 11:44:08: %PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///CN=CA-01,CN=ca-,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bestado,DC=cl?certificateRevocationList?base?objectClass=cRLDistributionPoint using LDAP has failed
Aug 25 10:23:22: %PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///CN=CA-01,CN=ca-,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bestado,DC=cl?certificateRevocationList?base?objectClass=cRLDistributionPoint using LDAP has failed
Aug 25 10:34:10: %PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///CN=CA-01,CN=ca-,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bestado,DC=cl?certificateRevocationList?base?objectClass=cRLDistributionPoint using LDAP has failed

balaji.bandi · ‎08-25-2025

System returned to ROM by Power Failure or Unknown

check make sure the power is consistence.

check the crash Logs to find what causing the issue.

I do not believe due to cert the switch will reboot, never come across that situation in live.

if you using DNAC, check the correct CRL - check below post :

https://community.cisco.com/t5/cisco-catalyst-center/dnac-certificate-crl-ldap-failed/td-p/5081884

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

matias-silva · ‎08-25-2025

There don’t appear to be any power issues. The logs show the same messages I noted earlier. This is the only switch out of the five on the same LAN that is failing. Before performing the upgrade, I followed the same steps from the shared link

balaji.bandi · ‎08-25-2025

what is other devices working , what IOS XE code ?

check cnfiguration drift before upgrade and post upgrade ? any source interface changed to reach to PKI server ?

if all good try force configuration push :

https://community.cisco.com/t5/cisco-catalyst-center/cscwm52945-catalyst-center-sdn-network-infra-iwan-fails-to-renew/td-p/5254578

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

matias-silva · ‎08-26-2025

All switches are on the same IOS version. I checked another switch and it gives me the following output:

I performed the procedure you shared with me.

923_SW2#sh log | inc PKI
*Aug 25 19:31:03: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: TP-self-signed-1321531563 created succesfully
*Aug 25 19:31:03: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: SLA-TrustPoint created succesfully
*Aug 25 19:31:03: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: sdn-network-infra-iwan created succesfully
*Aug 25 19:31:03: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: DNAC-CA created succesfully
*Aug 25 19:31:18: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: CISCO_IDEVID_SUDI created succesfully
*Aug 25 19:31:18: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: CISCO_IDEVID_SUDI0 created succesfully
*Aug 25 19:31:18: %PKI-2-NON_AUTHORITATIVE_CLOCK: PKI functions can not be initialized until an authoritative time source, like NTP, can be obtained.
*Aug 25 19:35:49: %PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///CN=CA-BANCO-01,CN=ca-banco,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bestado,DC=cl?certificateRevocationList?base?objectClass=cRLDistributionPoint using LDAP has failed
Aug 25 19:51:14: %PKI-6-AUTHORITATIVE_CLOCK: The system clock has been set.
Aug 26 09:53:28: %PKI-6-TRUSTPOINT_DELETE: Trustpoint: DNAC-CA deleted succesfully
Aug 26 09:53:39: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: DNAC-CA created succesfully
Aug 26 09:54:06: %PKI-6-TRUSTPOINT_DELETE: Trustpoint: sdn-network-infra-iwan deleted succesfully
Aug 26 09:55:07: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: sdn-network-infra-iwan created succesfully
Aug 26 09:55:07: %PKI-6-PKCS12_IMPORT_SUCCESS: PKCS #12 import in to trustpoint sdn-network-infra-iwan successfully imported.
Aug 26 09:55:30: %PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL from ldap:///CN=CA-BANCO-01,CN=ca-banco,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bestado,DC=cl?certificateRevocationList?base?objectClass=cRLDistributionPoint using LDAP has failed