Monitor pki certificate status via snmp

Soren Hansen · ‎09-26-2013

I recently discovered that a number of our remote sites could not connect to each other via dmvpn due to various certificate problems.

They could all connect to our hubs due to pre shared keys, so the problem was never discovered before a colleague discovered MM_KEY_EXCH states on some of the routers.

I therefore want to monitor the state of the certificates, preferably via snmp.

I found a nice looking mib,CISCO-PKI-PARTICIPATION-MIB, on http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.505

but none of our routers seem to support it, and when you click on "view supporting images", it also specifies: "There is no supporting images available for

CISCO-PKI-PARTICIPATION-MIB"

Do you have any experience on how to monitor certificate status on your Cisco routers?

nativevlan · ‎11-06-2014

I know this is an old post but we're looking for the same thing, did you find a way to do this for your routers or ASA devices (if you have any)?

Soren Hansen · ‎11-06-2014

No real solution. I found that they all needed to connect to one specific router, so I fire off "show crypto isakmp sa | inc MM_KEY_EXCH" on that specific router via our management platform, and receive a mail with the output on a daily basis.