Solved: Re: PKI Certificate - Manual Renewal for VPN Headend

nexusrouter · ‎08-13-2021

Hello Fellow Experts / Professionals.

I have a couple of pertinent question's regarding the renewal of a PKI certificate on one of our client / spoke router. The router is already enrolled into the PKI infrastructure and have the root and sub CA trust-points implemented. I have access to the CA "Windows Server" that administers certificates to clients to which is a manual enrolment via the CLI terminal. This is per design and does not have auto-enrolment in place.

I have read the Cisco white papers regarding this and have a general idea of the process, however I seek confirmation and a cast iron answer to some basic questions from you more experienced Cisco Alumni ,as I have not dealt with this environment before:-

Can I authenticate against the trust-points already in place or Do I need to create new trust-points "The Root and SubIssuingCA" when renewing a certificate that's about to expire?

Do I need to create the trust-points once again and then authenticate (even though it would be the same details) ?

Do I need to authenticate the root and Sub CA Trust-point or do I authenticate the Sub CA only before generating a CSR?

The certificate would be expiring in a week, can I renew the certificate before the expiration date of the active certificate?

Can someone please tell me the correct process with a manual enrolment?
I would very much appreciate if someone can point me in the right direction with the correct process

Rob Ingram · ‎08-13-2021

@nexusrouter

You don't need to delete the trustpoint and recreate it, you just need to run "crypto pki enroll <TRUSTPOINT_NAME>" to re-enrol. Once you've re-enrolled, run "show crypto pki certificates" to confirm the new certificate has been installed.

You don't need to re-authenticate the root certificates.

You can re-enrol the certificate whenever your like.

View solution in original post

Rob Ingram · ‎08-13-2021

@nexusrouter

You don't need to delete the trustpoint and recreate it, you just need to run "crypto pki enroll <TRUSTPOINT_NAME>" to re-enrol. Once you've re-enrolled, run "show crypto pki certificates" to confirm the new certificate has been installed.

You don't need to re-authenticate the root certificates.

You can re-enrol the certificate whenever your like.

nexusrouter · ‎08-14-2021

@Rob Ingram wrote:
@nexusrouter
You don't need to delete the trustpoint and recreate it, you just need to run "crypto pki enroll <TRUSTPOINT_NAME>" to re-enrol. Once you've re-enrolled, run "show crypto pki certificates" to confirm the new certificate has been installed.
You don't need to re-authenticate the root certificates.
You can re-enrol the certificate whenever your like.

Thank you for your reply Rob.

To be clear I just need to skip creating the Root and Sub CA Trust-points ?

To start I just need to create new RSA keys "if required"

Authenticate the Root CA a

Authenticate the Sub CA

Generate the CSR

Copy and paste into the CA Server "Send that too the CA"

Then Copy the results from the CA

Import the new CSR "Copy Paste via terminal"

Then check the new expiry and hopefully see the VPN link come back up to the other VPN head-ends?

Can you confirm that's the steps I need to complete when re-enrolling / renewing the PKI certificate?

Appreciate if you could provide the process step by step:-