Re: how to set ios CA's expiration date 10 years?

asdg · ‎08-15-2020

when i set command "lifetime ca-certificate 7000",

the check command show error like this to me

how can i set my ios CA's expiration date 20 years?

balaji.bandi · ‎08-15-2020

i do believe it supports 10 years,

PKI does not support a certificate with lifetime validity greater than the year 2099. So, It is recommended to choose a lifetime validity fewer than the value 2099.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asdg · ‎08-15-2020

you mean 2099 days? i had confirmed that the pki router support expiration date more than 2099 days.

balaji.bandi · ‎08-15-2020

as per my knowledge that was information i have,

to go deeper, can you provide the device model and version of code running on it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asdg · ‎08-15-2020

this is my ios image file:csr1000v-mono-universalk9.16.09.05.SPA.pkg
and result of "show version"
Cisco IOS XE Software, Version 16.09.05
Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.5, RELEASE SOFTWARE (fc1)

asdg · ‎08-15-2020

router use csr1000v-mon-universalk9.16.09.05.SPA.pkg

asdg · ‎08-15-2020

Sorry, What I wanted was 20 years. i must modifiy the post.

Rob Ingram · ‎08-15-2020

@asdg

You can define a lifetime of up to 7305 days (20 years) for the CA certificate.

crypto pki server PKI_SERVER
 lifetime ca-certificate 7305

Verification

csr_dc_2#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=LAB-PKI.lab.net
c=GB
Subject:
cn=LAB-PKI.lab.net
c=GB
Validity Date:
start date: 13:36:00 UTC Aug 15 2020
end date: 13:36:00 UTC Aug 15 2040
Associated Trustpoints: PKI_SERVER

I was using CSR 1000v 16.12.02

HTH

how to set ios CA's expiration date 20 years?