Hi everybody!
I am upgrading our DMVPN infrastructure to use ikev2. Part of the project is the replacement of two old IOS CA servers issuing certificates for branch routers.
I have two ISR4k routers prepared to work as new CA servers for the DMPVN cloud. What I did this time was that I connected this new PKI infrastructure with our Microsoft root CA server by issuing the certificates for the new CA routers on the Microsoft root CA, thus making them sub-CA severs of the Microsoft root CA server.
I was able to import the signed certificate from the root CA server, the problem is, that I can't configure the sub-ca server on the routers.
If I got it right, the IOS CA server must have the same name as the trustpoint from which it is a sub-ca. When I try to configure the CA server this way I get the following error:
% Cannot choose Microsoft-CA as label for CA server.
% Trustpoint with label Microsoft-CA is authenticated to another CA.
%PARSE_RC-3-PRC_OUT_OF_RANGE_ENUM: error code had value 2
%PARSE_RC-4-PRC_NON_COMPLIANCE: `crypto pki server Microsoft-CA'
Trustpoint configuration:
crypto pki trustpoint Microsoft-CA
enrollment terminal
serial-number
fqdn SubCA1.domain
ip-address Loopback1
subject-name CN=SubCA1.domain, L=DC01
revocation-check none
rsakeypair SubCA1.domain
The root CA server stays offline and doesn't support auto-enrollment.
Is this configuration not supported or am I missing something? It seems like an obvious use case for the IOS CA to me.
Thanks,
Adrian