cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1540
Views
0
Helpful
2
Replies

how to restore router with PKI certs.

Desmond Lee
Level 1
Level 1

hi, I have a router with 2 PKI certs from production environment.  The configuration is something like below. (only PKI related info are shown)  How do I transfer everything from here to another router if it fails ?

 

1. Can i just copy the whole running or startup config to the new router ? Will it auto generate the .cer files to the nvram ?

 

2. Or use the "crypto pki enroll "trustpoint name" command to request for the new certs ? But how do I generate 2 certs from a CA ? Got something like the below - only 1 cert max.


"Trustpoint xx has already enrolled and has a router cert issued to it.
If you successfully re-enroll this trustpoint,the existing certificate will be replaced."

 

Thanks in advance for any advice.

 

=============================================================================

crypto pki trustpoint CA1
 enrollment mode ra
 enrollment url http://1xx.6x.8x.1xx:80/certsrv/mscep/mscep.dll
 revocation-check none
 source interface Loopback0
!

// the 2 certs below as shown in running-config, both under CA1

 

crypto pki certificate chain CA1
 certificate 6xxxxxxxxxxxxxxxx36
(truncated data key)
certificate ca 5xxxxxxxxxxxxxxxxxxxxxxxxx80C

(truncated data key)

 

===========================================================================

//info of the certs

 

(router) #sh crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex): 6xxxxxxDxxxxxxxxxx36
  Certificate Usage: General Purpose
  Issuer:
    cn=xxxxxxxxx_SVR01_Z
  Subject:
    Name: xx.xx.xx.gov.xx
    hostname=xx.xx.gov.xx
  Validity Date:
    start date: 14:10:25 GMT Jul 23 2015
    end   date: 14:20:25 GMT Jul 23 2020
  Associated Trustpoints: CA1
  Storage: nvram:#36.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 5xxxxxxxxxxxxxxxxxxxxxxxxxxx80C
  Certificate Usage: Signature
  Issuer:
    cn=xxxSVR01_Z
  Subject:
    cn=xxxxSVR01_Z
  CRL Distribution Points:
    http://xx_ca1/CertEnroll/xxxxxx.crl
  Validity Date:
    start date: 09:56:36 GMT Jun 6 2011
    end   date: 10:05:45 GMT Jun 6 2021
  Associated Trustpoints: xxCA1
  Storage: nvram:#F80CCA.cer

============================================================================

Directory of nvram:/

  236  -rw-       15448                    <no date>  startup-config
  237  ----        3795                    <no date>  private-config
  238  -rw-       15448                    <no date>  underlying-config
    1  -rw-        2945                    <no date>  cwmp_inventory
    4  ----         118                    <no date>  persistent-data
    5  ----           0                    <no date>  rf_cold_starts
    7  -rw-         694                    <no date>  ifIndex-table
    8  -rw-        1255                    <no date>  #36.cer
  12  -rw-        1446                    <no date>  #F80CCA.cer

 

===========================================================================

END

 

 

2 Replies 2

Hi

You cannot just copy and paste it on other router, basically you must generate tthe certificate using the following commands (step by step):

1) crypto pki trustpoint <name of the server/trustpoint>

    crypto pki trustpoint CA1

 

2) crypto pki authenticate <name of the server/trustpoint>

    crypto pki authenticate CA1

 

3) crypto pki enroll <name of the server/trustpoint> , here, it will request a password configured on the server/trustpoint when the certificate was created.

    crypto pki enroll CA1

 

Now remember that Server/trustpoint and the client router must have the same date and time to sync, you can use NTP or modify the date/time manually to match or to be a little bit high on the client.

 

Hope it is useful

:-) 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi Julio, thanks.

 

But I do have a little problem with generating more than 1 cert from the same trustpoint.

 

From my current config, I do have 2 certs.

 

crypto pki certificate chain CA1
 certificate 6xxxxxxxxxxxxxxxx36
 (truncated data key)
 certificate ca 5xxxxxxxxxxxxxxxxxxxxxxxxx80C

 

but when I try enrolling more than once, it will say something like "this trustpoint already had a cert, the current cert will be replaced, do you want to continue ? (yes/no)"

 

any advice for this ?

 

Thanks

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: