Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
2375
Views
10
Helpful
9
Replies
Highlighted
jayage
Beginner
Beginner
‎02-14-2019 12:47 AM
‎02-14-2019 12:47 AM

crypto key generate rsa - unable to change expiry date - always set to Jan 1 2020

Hello guys,

 

We're using selfsigned certs on our voice routers for encrypted IOS (audio) conference bridges. Please find below the command set. Unfortunately the exported pem is only valid until 01 January 2020. I didn't find out how to generate one with a longer lifetime / later expiry date.

 

Does somebody know how to accomplish?

 

Thank you!

 

 

crypto key generate rsa general-keys label routername modulus 2048
crypto pki trustpoint routername
 enrollment selfsigned

 hash sha256
 rsakeypair routername
 fqdn none
 revocation-check none
 subject-name CN=routername
 exit
crypto pki enroll routername
crypto pki export routername pem terminal

 

 

routername#show crypto pki certificates
Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer:
    cn=routername
  Subject:
    Name: routername
    cn=routername
  Validity Date:
    start date: 09:04:40 CET Feb 14 2019
    end   date: 01:00:00 CET Jan 1 2020
  Associated Trustpoints: routername
  Storage: nvram:routerna#1.cer

Last test was on an 4331 router with IOS XE 16.6.5 but problem seem to be the same on other hardware (like 2911) with older non-XE IOS.

 

 

Labels:
1 person had this problem
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
9 REPLIES 9
Highlighted
jayage
Beginner
Beginner
‎02-18-2019 01:12 AM
‎02-18-2019 01:12 AM

Does anybody have an idea? Still didn't find a solution

0 Helpful
Reply
Highlighted
AndreaTornaghi
Beginner
Beginner
In response to jayage
‎02-18-2019 11:58 AM
‎02-18-2019 11:58 AM

Dear,

 

I think that the only way is to use an external CA with a dedicated template for your certificate.

If I'm not going wrong self-signed certificate that it's generated from router can be valid only for one year.

 

 

0 Helpful
Reply
Highlighted
hyun
Beginner
Beginner
In response to jayage
‎07-07-2019 10:31 PM
‎07-07-2019 10:31 PM

I have same issue.

how going on?

 

0 Helpful
Reply
Highlighted
rkozakowski
Beginner
Beginner
‎08-06-2019 03:16 PM
‎08-06-2019 03:16 PM

Can someone help with this ? I have the same issue.
i cannot do command: auto-enroll regenerate because its enroll self-signed
%% Can not set 'auto-enroll' with 'enroll self-signed'

Then how i can renew certificat with proper date ??????
0 Helpful
Reply
Highlighted
jayage
Beginner
Beginner
In response to rkozakowski
‎10-24-2019 08:24 AM
‎10-24-2019 08:24 AM

Expiry date is always set to Jan 1st 2020, don't know to change. This is still an issue to me and we're getting closer to the date. Does anybody have an idea? Do we really have to switch to CA-signed certificates? Is there no way to extend the self-signed router certificate?

0 Helpful
Reply
Highlighted
kim
Beginner
Beginner
In response to jayage
‎11-01-2019 02:15 AM
‎11-01-2019 02:15 AM

Hi everybody,

 

Obviously disabling the http service and deleting the trustpoint isn't enough. Every self signed comes out with the same expiry. So i tried zerorizing and then regenerating the rsa key for ssh. That did it, but thats pretty involved. The version we are running does not have the option to set the snmp trap pki. Pretty involved to upgrade as well.

 

I'm also looking for the smarter way of turning this notice off :)

 

Any suggestions?

 

Cheers

0 Helpful
Reply
Highlighted
jayage
Beginner
Beginner
In response to kim
‎12-03-2019 12:35 AM
‎12-03-2019 12:35 AM

Did you get it with longer life time?

0 Helpful
Reply
Highlighted
Highlighted
jayage
Beginner
Beginner
In response to cstansel
‎12-17-2019 03:09 AM
‎12-17-2019 03:09 AM

Regarding workaround 4. how do we import the keys / certificate generated with openssl?

Thank you

jay

0 Helpful
Reply
Latest Contents
Cisco SD-WAN Global Forum : Quick Guide to Design, Deploy, O...
Created by ciscomoderator on 03-05-2021 12:50 PM
0
0
0
0
To participate in this event, please use the  button to ask your questions * Note: The link to join the discussion will be activated on March 8 All the knowledge of these four experts at your disposal! Cisco Software-Defined Wide Area Network (SD-WAN... view more
Community Live Event- ISR1100X-4G and ISR1100X-6G Platform O...
Created by Cisco Moderador on 03-02-2021 05:23 AM
1
0
1
0
Community Live- ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture (Live event -  Tuesday, 23 March, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event will have place on Tuesday 23rd, March 2021 at 10:00 hrs PDT&... view more
Cisco Secure Network Access Bridges the Gap
Created by Kelli Glass on 02-26-2021 04:19 PM
0
0
0
0
Cisco Secure Network Access is helping IT to bridge the gap between what is essential to the business and what the network delivers and to build the next-generation campus network for an unplugged and uninterrupted experience. Learn more about how these w... view more
Community Live Video - New Additions to the Catalyst 8000 Fa...
Created by Cisco Moderador on 02-24-2021 08:49 AM
0
0
0
0
(view in My Videos) Community Live- New Additions to the Catalyst 8000 Family (Live event -  Tuesday, 23 February, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event had place on Tuesday 23rd, February 2021 at 10:00 hrs PDT... view more
New Additions to the Catalyst 8000 Family- FAQ
Created by Cisco Moderador on 02-24-2021 07:23 AM
0
0
0
0
This event had place on Tuesday 23rd, February 2021 at 10hrs PDT  Introduction Designed for an intent-based network, the Cisco Catalyst 8000 Edge Platforms family offers best-in-class networking and security combined. The platforms, available in b... view more
Content for Community-Ad