07-09-2007 02:49 PM - edited 02-21-2020 01:35 AM
I'm doing a proof of concept using Cisco's IOS CA Server to do our DMVPN authentication. When I use a stand alone CA Server this stuff works great but that doesn't have any "redundancy" in it were we to have a failure. So we want to use the subordinate ca server architecture so that we can have 2 servers available. the other option is an RA server.
I have seen both of these options work but in my proof of concept I have never been able to get the Subordinate CA to work correctly and the RA mode I was able to get to work but after a few hours it would mysteriously stop working (I haven't opend a TAC case on the RA problems yet).
Anyway, I've got a TAC case opened and they walked me through this last week. I took extensive notes, their process was not without problems but eventually we got it working in Subordinate CA mode. Okay, it works - I've seen it. I attempted to recreate it afterwords using my notes and the CCO documentation and it doesn't work. My DMVPN hub says the client's cert is "bad."
My debugging isn't very helpful the run down of my configuration is attached as text.
Now, here are my steps:
On the Root CA, I generate a general key, export it out to nvram and then reimport it non-exportable. Then I create the CA configuration which generates the Root CA certificate.
Next I move on to the Subordinate, create its general rsa key, export and reimport it non-exportable.
Then I create the ca server on it in "sub-cs" mode. It gets generates a "Subordinate-CA" certificate request which I then have to go approve on the Root CA server.
Next I move on to the DMVPN Hub router. I generate its rsa general key, export and then re import. Then I create the Root trustpoint and authenticate to it to retrieve the Root Certificate. Then I add the subordinate-ca trustpoint and authenticate to it, then enroll in it. Should be done there - usually goes off without a hitch.
Last is the DMVPN Client router; same process as above to be honest.
Once that is complete - everyone has a certificate and the DMVPN tunnel attempts to authenticate; the DMVPN hub tries to check the crl on the subordinate CA server and it says it fails and that it is a bad certificate.
07-09-2007 04:12 PM
Incidentally this is my primary source for documentation of this process:
07-09-2007 04:38 PM
I've just found some notes here:
http://www.cisco.com/en/US/customer/products/ps6660/products_white_paper0900aecd805249e3.shtml
They indicate that I may need to be using 12.4(11)T or better to get the Sub-CA thing working properly.
I'll try that tomorrow...
07-10-2007 09:54 AM
Well I upgraded to 12.4(16)LD and there is no change in my results. If I remove the revocation-check then it authenticates properly.
Of course that's lame though because without that my revoked certificates will not be denied access.
08-30-2016 11:42 PM
Try to change the trustpoint names on the DMVPN routers to something completely different than what you have used for the Root CA and the SubCA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide