08-19-2018 01:53 AM - edited 08-19-2018 01:57 AM
hi, I have a router with 2 PKI certs from production environment. The configuration is something like below. (only PKI related info are shown) How do I transfer everything from here to another router if it fails ?
1. Can i just copy the whole running or startup config to the new router ? Will it auto generate the .cer files to the nvram ?
2. Or use the "crypto pki enroll "trustpoint name" command to request for the new certs ? But how do I generate 2 certs from a CA ? Got something like the below - only 1 cert max.
"Trustpoint xx has already enrolled and has a router cert issued to it.
If you successfully re-enroll this trustpoint,the existing certificate will be replaced."
Thanks in advance for any advice.
=============================================================================
crypto pki trustpoint CA1
enrollment mode ra
enrollment url http://1xx.6x.8x.1xx:80/certsrv/mscep/mscep.dll
revocation-check none
source interface Loopback0
!
// the 2 certs below as shown in running-config, both under CA1
crypto pki certificate chain CA1
certificate 6xxxxxxxxxxxxxxxx36
(truncated data key)
certificate ca 5xxxxxxxxxxxxxxxxxxxxxxxxx80C
(truncated data key)
===========================================================================
//info of the certs
(router) #sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 6xxxxxxDxxxxxxxxxx36
Certificate Usage: General Purpose
Issuer:
cn=xxxxxxxxx_SVR01_Z
Subject:
Name: xx.xx.xx.gov.xx
hostname=xx.xx.gov.xx
Validity Date:
start date: 14:10:25 GMT Jul 23 2015
end date: 14:20:25 GMT Jul 23 2020
Associated Trustpoints: CA1
Storage: nvram:#36.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 5xxxxxxxxxxxxxxxxxxxxxxxxxxx80C
Certificate Usage: Signature
Issuer:
cn=xxxSVR01_Z
Subject:
cn=xxxxSVR01_Z
CRL Distribution Points:
http://xx_ca1/CertEnroll/xxxxxx.crl
Validity Date:
start date: 09:56:36 GMT Jun 6 2011
end date: 10:05:45 GMT Jun 6 2021
Associated Trustpoints: xxCA1
Storage: nvram:#F80CCA.cer
============================================================================
Directory of nvram:/
236 -rw- 15448 <no date> startup-config
237 ---- 3795 <no date> private-config
238 -rw- 15448 <no date> underlying-config
1 -rw- 2945 <no date> cwmp_inventory
4 ---- 118 <no date> persistent-data
5 ---- 0 <no date> rf_cold_starts
7 -rw- 694 <no date> ifIndex-table
8 -rw- 1255 <no date> #36.cer
12 -rw- 1446 <no date> #F80CCA.cer
===========================================================================
END
08-19-2018 05:56 AM - edited 08-19-2018 05:59 AM
Hi
You cannot just copy and paste it on other router, basically you must generate tthe certificate using the following commands (step by step):
1) crypto pki trustpoint <name of the server/trustpoint>
crypto pki trustpoint CA1
2) crypto pki authenticate <name of the server/trustpoint>
crypto pki authenticate CA1
3) crypto pki enroll <name of the server/trustpoint> , here, it will request a password configured on the server/trustpoint when the certificate was created.
crypto pki enroll CA1
Now remember that Server/trustpoint and the client router must have the same date and time to sync, you can use NTP or modify the date/time manually to match or to be a little bit high on the client.
Hope it is useful
:-)
08-20-2018 03:08 AM - edited 08-20-2018 03:08 AM
Hi Julio, thanks.
But I do have a little problem with generating more than 1 cert from the same trustpoint.
From my current config, I do have 2 certs.
crypto pki certificate chain CA1
certificate 6xxxxxxxxxxxxxxxx36
(truncated data key)
certificate ca 5xxxxxxxxxxxxxxxxxxxxxxxxx80C
but when I try enrolling more than once, it will say something like "this trustpoint already had a cert, the current cert will be replaced, do you want to continue ? (yes/no)"
any advice for this ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide