Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
1
Replies

APIC-EM Certificate authority for DMVPN tunnels

carl_townshend
Spotlight
Spotlight

‎05-28-2018 01:12 AM - edited ‎03-08-2019 03:09 PM

Hi All

I have recently set up APIC-EM IWAN app to deploy SDWAN.

What I want to know is, when the self signed cert for the server needs to be renewed, what will happen to to the devices that are using it, will they check in so long before? or will the server push the new cert out automatically at the time it expires?

cheers

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎05-28-2018 05:57 AM

Hi

 

I've used APIC-EM as certificate authority only 2 times. I'm more using corporate PKIs with or without ISE in the picture as SubCA.

 

Anyways, your routers are getting the cert using scep I believe. On APIC-EM itself, the certificate has to be renewed manually but on router side, if configured with auto-enroll, will try to renew its cert after a remaining validity time. If you configured auto-enroll 85 regenerate, this means after 85% of cert lifetime, the router will regenerate its cert. In more details, if you cert is valid for 1 year (365 days), 85% means the router will try to regenerate its cert after 310 days.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card