07-22-2014 02:00 AM - edited 03-04-2019 11:23 PM
We have a DMVPN envirement which is using certificate authentication for the spoke routers.
I want to check the certificate end dates with the certificate check TCL script.
The only issue i have is that the CA certificate shows an end date year of 1903 with the "show crypto pki certificate".
When i copy the certificate to tftp and open it on my pc the end date year is 2039.
This happens on all the spoke routers which are different models within the 800 serie.
When the script is now running it always send a syslog message that the certificate is expired.
I tried updating the IOS and i can't use piping within tcl scripts.
How can i solve this issue?
07-22-2014 05:53 AM
Hi,
This may be a surprising request but do you believe you could actually post the certificate here? I would like to inspect the specific contents of its Start/End Validity elements. There is a possibility that their value is so much beyond any reasonable date that the IOS probably experiences some kind of overflow.
Best regards,
Peter
07-22-2014 06:20 AM
I understand you'd like to analuyse that but i can't post the certificate itself here.
07-22-2014 06:41 AM
Hi,
You should understand that a certificate is by itself a public document, and there is no reason of keeping it secret, as it cannot be counterfeited (to do that, you would need to steal the private key of the issuing certificate authority or break the RSA cipher - none of that is possible). I am not asking for the certificate owner's private key, only for the certificate itself.
In any case, if your regulations do not allow you to make it public, can you please at least use a decent Linux box and post the output of the following command?
openssl x509 -text -in certificate-filename.pem | grep Not
assuming you have the certificate in the PEM format saved in the certificate-filename.pem file.
Thanks!
Best regards,
Peter
07-23-2014 01:47 AM
That command gives the following output:
Not Before: Mar 11 14:03:41 2009 GMT
Not After : Mar 11 14:13:38 2039 GMT
07-23-2014 02:11 AM
Hi,
Okay. Now, you are saying that Cisco devices you are using report the certification expiration date to be placed back at 1903. Do you have an option of creating another certificate whose expiry date is, say, 2015 or 2020, and try importing that one? I really have a feeling that we are dealing here with some kind of integer overflow.
Best regards,
Peter
07-23-2014 03:08 AM
The certificate for the authentication process, which has a valid periode of 3 years, is showing the correct year.
I'll try to upload an certificate with a longer valid periode and check how the year is being displayed.
04-04-2018 01:08 AM
Hey there, i have the same problem as you had with the wrong end date. I created a new topic to shed some new light to an old topic:
https://supportforums.cisco.com/t5/vpn/pki-certificates-with-wrong-end-date/m-p/3360204#M121889
How did you solve your problem? Would be glad if you could share your solution with us. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide