01-10-2011 11:30 PM
Hi Experts,
We have a customer setup running Cisco Virtual Office( CVO) VPN configuration on Cisco 3845 router and itself acting as a CA server too.Due to an issue with the motherboard and AIM-VPN/SSL3 card, we did an RMA and replaced both of them.Now after that, we noticed that the site to site CVO Vpn is not coming up.upon troubleshooting, we found that the CA certificate validation is failing in the Cisco 3845 head end router and says as below.
VPN-RTR-01 (config)#Do sh cry pki ser
Certificate Server pki-server:
Status: disabled, Failed to validate selfsigned CA certificate
State: check failed
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=pki-server,ou=cvo,o=cisco
CA cert fingerprint: 36EE85F8 019A46D0 DA8A45C0 A321371C
Granting mode is: manual
Last certificate issued serial number: 0x5B
CA certificate expiration timer: 13:39:58 UTC Nov 27 2015
CRL NextUpdate timer: 07:40:00 UTC Jan 6 2011
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
As per the cisco guidelines, we had taken backup of the certificates from the NVRAM of the old router and uploaded to the new router.but still we are not able to bring it up.Any ideas what is wrong and how it can be rectified? i am attaching a partial PKI configuration here.