cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1926
Views
0
Helpful
2
Replies

how to restore router with PKI certs.

Desmond Lee
Level 1
Level 1

hi, I have a router with 2 PKI certs from production environment.  The configuration is something like below. (only PKI related info are shown)  How do I transfer everything from here to another router if it fails ?

 

1. Can i just copy the whole running or startup config to the new router ? Will it auto generate the .cer files to the nvram ?

 

2. Or use the "crypto pki enroll "trustpoint name" command to request for the new certs ? But how do I generate 2 certs from a CA ? Got something like the below - only 1 cert max.


"Trustpoint xx has already enrolled and has a router cert issued to it.
If you successfully re-enroll this trustpoint,the existing certificate will be replaced."

 

Thanks in advance for any advice.

 

=============================================================================

crypto pki trustpoint CA1
 enrollment mode ra
 enrollment url http://1xx.6x.8x.1xx:80/certsrv/mscep/mscep.dll
 revocation-check none
 source interface Loopback0
!

// the 2 certs below as shown in running-config, both under CA1

 

crypto pki certificate chain CA1
 certificate 6xxxxxxxxxxxxxxxx36
(truncated data key)
certificate ca 5xxxxxxxxxxxxxxxxxxxxxxxxx80C

(truncated data key)

 

===========================================================================

//info of the certs

 

(router) #sh crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex): 6xxxxxxDxxxxxxxxxx36
  Certificate Usage: General Purpose
  Issuer:
    cn=xxxxxxxxx_SVR01_Z
  Subject:
    Name: xx.xx.xx.gov.xx
    hostname=xx.xx.gov.xx
  Validity Date:
    start date: 14:10:25 GMT Jul 23 2015
    end   date: 14:20:25 GMT Jul 23 2020
  Associated Trustpoints: CA1
  Storage: nvram:#36.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 5xxxxxxxxxxxxxxxxxxxxxxxxxxx80C
  Certificate Usage: Signature
  Issuer:
    cn=xxxSVR01_Z
  Subject:
    cn=xxxxSVR01_Z
  CRL Distribution Points:
    http://xx_ca1/CertEnroll/xxxxxx.crl
  Validity Date:
    start date: 09:56:36 GMT Jun 6 2011
    end   date: 10:05:45 GMT Jun 6 2021
  Associated Trustpoints: xxCA1
  Storage: nvram:#F80CCA.cer

============================================================================

Directory of nvram:/

  236  -rw-       15448                    <no date>  startup-config
  237  ----        3795                    <no date>  private-config
  238  -rw-       15448                    <no date>  underlying-config
    1  -rw-        2945                    <no date>  cwmp_inventory
    4  ----         118                    <no date>  persistent-data
    5  ----           0                    <no date>  rf_cold_starts
    7  -rw-         694                    <no date>  ifIndex-table
    8  -rw-        1255                    <no date>  #36.cer
  12  -rw-        1446                    <no date>  #F80CCA.cer

 

===========================================================================

END

 

 

2 Replies 2

Julio E. Moisa
VIP Alumni
VIP Alumni

Hi

You cannot just copy and paste it on other router, basically you must generate tthe certificate using the following commands (step by step):

1) crypto pki trustpoint <name of the server/trustpoint>

    crypto pki trustpoint CA1

 

2) crypto pki authenticate <name of the server/trustpoint>

    crypto pki authenticate CA1

 

3) crypto pki enroll <name of the server/trustpoint> , here, it will request a password configured on the server/trustpoint when the certificate was created.

    crypto pki enroll CA1

 

Now remember that Server/trustpoint and the client router must have the same date and time to sync, you can use NTP or modify the date/time manually to match or to be a little bit high on the client.

 

Hope it is useful

:-) 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi Julio, thanks.

 

But I do have a little problem with generating more than 1 cert from the same trustpoint.

 

From my current config, I do have 2 certs.

 

crypto pki certificate chain CA1
 certificate 6xxxxxxxxxxxxxxxx36
 (truncated data key)
 certificate ca 5xxxxxxxxxxxxxxxxxxxxxxxxx80C

 

but when I try enrolling more than once, it will say something like "this trustpoint already had a cert, the current cert will be replaced, do you want to continue ? (yes/no)"

 

any advice for this ?

 

Thanks

 

 

Review Cisco Networking for a $25 gift card