03-14-2017 03:13 AM
We have been running two separate certificate servers for approx two years without issue.
One of them did a forced reload the other night and from what I can tell it has lost one or both of its keys.
Does anyone know if I can reapply them. I tried to re-import them from backup which seemed to complete, but they are still not showing
DC-xx-xxx-RT2#sh cry pki ser
Certificate Server dmvpn-xx-RT2:
Status: disabled, Server key not found, waiting for (offline) key
State: check failed
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=xxVPNCERT
CA cert fingerprint: 1445C473 112DBE81 F01EFA73 F38383FD
Granting mode is: auto
Last certificate issued serial number (hex): 0
CA certificate expiration timer: 00:00:00 UTC Jan 1 1970
CRL not present.
Current primary storage dir: nvram
Database Level: Minimum - no cert data written to storage
Auto-Rollover configured, overlap period 50 days
DC-xx-xxx-RT2#
These files are in nvram:
DC-xx-xxx-RT2#dir nvram:
Directory of nvram:/
31 -rw- 32 <no date> dmvpn-xx-RT2.ser
34 -rw- 219 <no date> dmvpn-xx-RT2.crl
35 -rw- 1523 <no date> dmvpn-xx-RT2_00004.p12
44 -rw- 1523 <no date> dmvpn-xx-RT2_00001.p12
Only TP-self-signed keys showing. The other router has two extras for the certificate server RSA keys
sh cry key mypubkey rsa
Key name: TP-self-signed-xxxxxxx
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
"removed"
Key name: TP-self-signed-xxxxxxx.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
"removed"