Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
0
Helpful
2
Replies

Question about Shadow Certificates

Richard Tapp
Level 1
Level 1

‎01-22-2025 03:19 AM

I have just set up a new certificate server on a router in our network and can download the certifcate from it OK.

But I do see this message

%PKI-2-CERT_SHADOW_INSTALL_FAIL: Content-Type indicates we did not receive CA certificate for Trustpoint

But if I check my certifciates I have a valid CA for this certificate. I have also set my test router with just this one new certifcate and it still connects to DMVPN OK.

I did find this via Google

The new certificate, which is called the shadow or rollover certificate, becomes active at the precise moment that the current CA certificate expires.

So my question is, am I only getting this message becuse there is no new shadow or rollover certificate ready on the certifcate server as it wont be due for renewal for some time in the future ?

Labels:
0 Helpful
2 Replies 2

feni865heri
Level 1
Level 1

‎01-22-2025 03:47 AM - edited ‎01-22-2025 09:37 PM

Hello, @Richard Tapp 

The message "%PKI-2-CERT_SHADOW_INSTALL_FAIL: Content-Type indicates we did not receive CA certificate for Trustpoint" suggests that the router is expecting a "shadow" or "rollover" certificate from the certificate server, but it's not receiving it.

Here's a breakdown of why you might be seeing this message and how to address it:    snaptik tiktok downloader

Understanding Shadow Certificates

Purpose: Shadow certificates are a crucial part of certificate lifecycle management. They are intended to be a backup or replacement for the currently active certificate.
Activation: As you mentioned, a shadow certificate typically becomes active immediately after the current certificate expires. This seamless transition minimizes service disruption.
Requirement: Many security systems and protocols expect a shadow certificate to be available for a smooth certificate rollover. The message you're seeing indicates that your router is designed to work with this mechanism.
Possible Reasons for the Message

No Shadow Certificate Generated:

Configuration Issue: The certificate server might not be configured to generate shadow certificates automatically.
Certificate Not Expiring Soon: As you observed, if the current certificate has a long time before expiration, the server might not have generated a shadow certificate yet.
Certificate Server Issue:

Technical Problems: The certificate server itself might have encountered an error during the shadow certificate generation process.
Communication Problems: There might be a temporary network issue or misconfiguration preventing the router from accessing the certificate server and retrieving the shadow certificate.
Troubleshooting Steps

Check Certificate Server Configuration:

Review Settings: Carefully examine the certificate server's configuration to ensure it's configured to generate shadow certificates automatically.
Check Logs: Look for any error messages in the certificate server's logs that might provide clues about the issue.
Verify Certificate Expiration Date:

Confirm Expiration Time: Check the expiration date of the current certificate. If it's far in the future, it's likely that a shadow certificate hasn't been generated yet.
Test Certificate Server Connectivity:

Ping/Traceroute: Perform network diagnostics (ping, traceroute) to ensure the router can reach the certificate server without any issues.
Manually Generate a Shadow Certificate (if applicable):

Check Server Documentation: If possible, refer to the certificate server's documentation to see if you can manually generate a shadow certificate.
Consult Documentation:

Router Documentation: Refer to the documentation for your specific router model. It may provide more detailed information about the expected behavior and troubleshooting tips for certificate-related issues.
Important Notes

DMVPN Connection: The fact that your DMVPN connection is currently working with the existing certificate is a good sign. However, it's essential to address the shadow certificate issue to ensure a smooth and secure certificate rollover in the future.
Security Best Practices: Regularly review and update your certificate management procedures to maintain strong security posture.
If you've checked these aspects and are still encountering the issue, consider contacting the support team for your certificate server or router vendor for further assistance. They can provide more specific guidance based on your particular setup.

 

Best Regards

0 Helpful

Richard Tapp
Level 1
Level 1

‎01-22-2025 04:26 AM

Thanks, I also checked a router I put the new cert on way back in June last year, that is not showing the error in the logs and it is showing a renew date as well.

This is the server config

crypto pki server dmvpn-XXXX-RT01
no database archive
issuer-name CN=XXXXVPNCERT
grant auto
hash sha256
lifetime certificate 900
lifetime ca-certificate 1100
auto-rollover 50

crypto pki trustpoint dmvpn-XXXX-RT01
revocation-check crl
rsakeypair dmvpn-XXXX-RT01

Its not too much of a worry as we always have 2 certificate servers running, so should always have a good certificate

0 Helpful
Customers Also Viewed These Support Documents