02-14-2019 12:47 AM
Hello guys,
We're using selfsigned certs on our voice routers for encrypted IOS (audio) conference bridges. Please find below the command set. Unfortunately the exported pem is only valid until 01 January 2020. I didn't find out how to generate one with a longer lifetime / later expiry date.
Does somebody know how to accomplish?
Thank you!
crypto key generate rsa general-keys label routername modulus 2048
crypto pki trustpoint routername
enrollment selfsigned
hash sha256
rsakeypair routername
fqdn none
revocation-check none
subject-name CN=routername
exit
crypto pki enroll routername
crypto pki export routername pem terminal
routername#show crypto pki certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=routername
Subject:
Name: routername
cn=routername
Validity Date:
start date: 09:04:40 CET Feb 14 2019
end date: 01:00:00 CET Jan 1 2020
Associated Trustpoints: routername
Storage: nvram:routerna#1.cer
Last test was on an 4331 router with IOS XE 16.6.5 but problem seem to be the same on other hardware (like 2911) with older non-XE IOS.
Solved! Go to Solution.
12-16-2019 05:13 PM
02-18-2019 01:12 AM
Does anybody have an idea? Still didn't find a solution
02-18-2019 11:58 AM
Dear,
I think that the only way is to use an external CA with a dedicated template for your certificate.
If I'm not going wrong self-signed certificate that it's generated from router can be valid only for one year.
07-07-2019 10:31 PM
I have same issue.
how going on?
08-06-2019 03:16 PM
10-24-2019 08:24 AM
Expiry date is always set to Jan 1st 2020, don't know to change. This is still an issue to me and we're getting closer to the date. Does anybody have an idea? Do we really have to switch to CA-signed certificates? Is there no way to extend the self-signed router certificate?
11-01-2019 02:15 AM
Hi everybody,
Obviously disabling the http service and deleting the trustpoint isn't enough. Every self signed comes out with the same expiry. So i tried zerorizing and then regenerating the rsa key for ssh. That did it, but thats pretty involved. The version we are running does not have the option to set the snmp trap pki. Pretty involved to upgrade as well.
I'm also looking for the smarter way of turning this notice off :)
Any suggestions?
Cheers
12-03-2019 12:35 AM
Did you get it with longer life time?
12-16-2019 05:13 PM
12-17-2019 03:09 AM
Regarding workaround 4. how do we import the keys / certificate generated with openssl?
Thank you
jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide