Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
4
Replies

TLS trusted-host

vpoole
Level 1
Level 1

‎08-04-2005 01:53 PM - edited ‎03-10-2019 01:34 AM

Certificate on IDSM Console expired. Created new certificate, then deleted and add IDS Sensor using discovery. Login to IDS sensor verified clock on matched IDSM Console, then removed trusted-host and re-add to generate new certificate. Cert on sensor doesn't match IDSM Console cert. Still getting TLS trusted host errors when trying to do signature updates. Am I missing a step? Any suggestions? Thanks,

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎08-04-2005 02:22 PM

If it is the IDSM-2 certificate that expired, then the steps are correct.

My assumption, however, is that the error you are receiving is not because the IDSM-2 certificate has expired, but instead it is the VMS certificate that has expired.

You would need to create a new certificate for the VMS itself. Then go to the sensor and remove the sensor's knowledge of the VMS old certificate and tell it to grab the new VMS certificate.

Here is how you tell the sensor to grab VMS's new certificate:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clitasks.htm#wp1036631

I am not sure what the steps are to create a new certificate on the VMS itself.

0 Helpful

vpoole
Level 1
Level 1
In response to marcabal

‎08-05-2005 04:45 AM

Thanks for your response. I believe you're correct about it being VMS cert. Used keytool -printcert -file ./server.cert to veiw newly created cert, which is now good for 10 years. Already tried your suggestion of removing VMS trusted-host on sensor and then adding it back to create a new cert.

"no TLS trusted-host ip-address 172.16.208.50"

TLS trusted-host ip-address 172.16.208.50"

It adds VMS ip address to trusted host list, but creates a cert that doesn't match new cert, so it's not grabing the new cert from VMS for some reason. I'm wondering if there is a communication problem between sensor and vms host? However, I can delete sensor and then add sensor back using discovery mode without problems. Open to additional suggestions since I'm still at a lost.

0 Helpful

brhamon
Level 1
Level 1
In response to vpoole

‎08-08-2005 08:44 AM

There was a defect affecting IDS MC versions 2.0 and 2.0.1 that would cause the behavior you are seeing if you are using the CiscoWorks certificate.

If you are running an affected version, go into VPN/Security Management Solution > Administration > Configuration > Certificate. If the "CiscoWorks Certificate" is selected, then this is your problem. The following link provides two workarounds.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsa53069

0 Helpful

vpoole
Level 1
Level 1
In response to brhamon

‎08-08-2005 09:05 AM

Thanks for your response. It appears old cert was being cache somewhere. Once I stopped and started crmdmgtd service, sensors were able to grab new cert.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card