We're using selfsigned certs on our voice routers for encrypted IOS (audio) conference bridges. Please find below the command set. Unfortunately the exported pem is only valid until 01 January 2020. I didn't find out how to generate one with a longer lifetime / later expiry date.
Does somebody know how to accomplish?
crypto key generate rsa general-keys label routername modulus 2048
crypto pki trustpoint routername
crypto pki enroll routername
crypto pki export routername pem terminal
routername#show crypto pki certificates
Router Self-Signed Certificate
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
start date: 09:04:40 CET Feb 14 2019
end date: 01:00:00 CET Jan 1 2020
Associated Trustpoints: routername
Last test was on an 4331 router with IOS XE 16.6.5 but problem seem to be the same on other hardware (like 2911) with older non-XE IOS.
I think that the only way is to use an external CA with a dedicated template for your certificate.
If I'm not going wrong self-signed certificate that it's generated from router can be valid only for one year.