We have a DMVPN envirement which is using certificate authentication for the spoke routers.
I want to check the certificate end dates with the certificate check TCL script.
The only issue i have is that the CA certificate shows an end date year of 1903 with the "show crypto pki certificate".
When i copy the certificate to tftp and open it on my pc the end date year is 2039.
This happens on all the spoke routers which are different models within the 800 serie.
When the script is now running it always send a syslog message that the certificate is expired.
I tried updating the IOS and i can't use piping within tcl scripts.
How can i solve this issue?
This may be a surprising request but do you believe you could actually post the certificate here? I would like to inspect the specific contents of its Start/End Validity elements. There is a possibility that their value is so much beyond any reasonable date that the IOS probably experiences some kind of overflow.
You should understand that a certificate is by itself a public document, and there is no reason of keeping it secret, as it cannot be counterfeited (to do that, you would need to steal the private key of the issuing certificate authority or break the RSA cipher - none of that is possible). I am not asking for the certificate owner's private key, only for the certificate itself.
In any case, if your regulations do not allow you to make it public, can you please at least use a decent Linux box and post the output of the following command?
openssl x509 -text -in certificate-filename.pem | grep Not
assuming you have the certificate in the PEM format saved in the certificate-filename.pem file.
Okay. Now, you are saying that Cisco devices you are using report the certification expiration date to be placed back at 1903. Do you have an option of creating another certificate whose expiry date is, say, 2015 or 2020, and try importing that one? I really have a feeling that we are dealing here with some kind of integer overflow.
Hey there, i have the same problem as you had with the wrong end date. I created a new topic to shed some new light to an old topic:
How did you solve your problem? Would be glad if you could share your solution with us. Thanks.