cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
339
Views
0
Helpful
1
Replies

PKI/DMVPN - Renaming an IOS CA Server

plemieux72
Level 1
Level 1

Hi,

Would anyone know what the impact might be on a DMVPN if I were to rename/recreate the internal IOS CA Server hostname and trustpoint?

I assume I would have to re-create the RSA certs and trustpoint from scratch. And then, I'd have to go to each of the routers (including spokes and headhends) and re-aquire the new root cert, then re-enroll for new router certs which seem like it will bring down the tunnels... and since the CA server is internal, once the tunnels are down, the spokes will not be able to renew unless I configure a temporary pre-shared key crypto tunnel.

Is there a better, simpler way?

If anyone's ever done this in a lab, I'd appreciate any comments...

Thanks

1 Reply 1

amritpatek
Level 6
Level 6

You will have to recreate the RSA certificates and trustpoints if you rename the IOS CA server. You can configure graceful rollover for certificates. Graceful rollover of certificates avoids sudden loss of services in which new connections use the new certificate; existing connections continue to use the old certificate until the connections are closed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: