We're using selfsigned certs on our voice routers for encrypted IOS (audio) conference bridges. Please find below the command set. Unfortunately the exported pem is only valid until 01 January 2020. I didn't find out how to generate one with a longer lifetime / later expiry date.
Does somebody know how to accomplish?
crypto key generate rsa general-keys label routername modulus 2048
crypto pki trustpoint routername
crypto pki enroll routername
crypto pki export routername pem terminal
routername#show crypto pki certificates
Router Self-Signed Certificate
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
start date: 09:04:40 CET Feb 14 2019
end date: 01:00:00 CET Jan 1 2020
Associated Trustpoints: routername
Last test was on an 4331 router with IOS XE 16.6.5 but problem seem to be the same on other hardware (like 2911) with older non-XE IOS.
Solved! Go to Solution.
I think that the only way is to use an external CA with a dedicated template for your certificate.
If I'm not going wrong self-signed certificate that it's generated from router can be valid only for one year.
Expiry date is always set to Jan 1st 2020, don't know to change. This is still an issue to me and we're getting closer to the date. Does anybody have an idea? Do we really have to switch to CA-signed certificates? Is there no way to extend the self-signed router certificate?
Obviously disabling the http service and deleting the trustpoint isn't enough. Every self signed comes out with the same expiry. So i tried zerorizing and then regenerating the rsa key for ssh. That did it, but thats pretty involved. The version we are running does not have the option to set the snmp trap pki. Pretty involved to upgrade as well.
I'm also looking for the smarter way of turning this notice off :)
Regarding workaround 4. how do we import the keys / certificate generated with openssl?