ā03-11-2014 02:06 AM - edited ā03-07-2019 06:38 PM
Hi,
few days ago, we received these logs from a 3750-X stack (IOS version 15.0(2)SE2):
Mar 8 11:11:52.680: %PKI-4-TRUSTPOOL_EXPIRATION_WARNING: The Trustpool will expire in 20 days
Mar 8 11:11:52.680: %PKI-4-TRUSTPOOL_AUTO_UPDATE_DISABLED: Auto-trustpool update is disabled.
if I look the documentation "PKI Trustpool Management" , it's wrote:
The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions..... The PKI trustpool timer matches the CA certificate with the earliest expiration time. If the timer is running and a bundle location is not configured and not explicitly disabled, syslog warnings are issued to alert the administrator that the PKI trustpool policy option is not set.
PKI Trustpool Management is enabled by default... But, it's possible to disable it ? if yes, how ?
because we don't use "https server" on our 3750-X, I think that isn't necessary to use "PKI Trustpool"... correct ?
thanks a lot for your help
best regards
Sam
Solved! Go to Solution.
ā10-27-2014 06:56 AM
It can be ignored. My router is working without problems.
ā10-27-2014 03:49 AM
I have the same problem
trustpool will expire 2028 and the switch starts complaining today
Oct 26 14:22:08.937 MEST: %PKI-4-TRUSTPOOL_EXPIRATION_WARNING: The Trustpool will expire in 20 days.
Does anything stop working in 20 days ??
switch#show crypto pki trustpool policy
Load for five secs: 35%/0%; one minute: 28%; five minutes: 29%
Time source is NTP, 11:44:56.719 MET Mon Oct 27 2014
Trustpool Policy
Chain validation will stop at the first CA certificate in the pool
Trustpool CA certificates will expire 01:59:59 MEST Aug 3 2028
ā10-27-2014 06:56 AM
It can be ignored. My router is working without problems.
ā10-21-2015 01:59 AM
It is possible to update the Trustpool certificates following the procedure indicated in the following document,
The command to update the certificates is:
Router(config)# crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b
ā10-28-2015 08:04 AM
The command works, however I went from 4 certs to 142 certs. And they have crazy expiration dates:
start date: 10:25:36 EDT Dec 18 2012
end date: 04:27:20 EDT Nov 12 1901
start date: 05:06:56 MDT Jul 19 2012
end date: 22:38:40 MDT Jun 12 1906
start date: 20:00:00 MDT Sep 30 1999
end date: 13:31:43 MDT Jun 10 1900
etc.
Can someone let us know if this is a best practice to issue this command on our production devices?
ā11-03-2015 12:09 PM
This fixes crazy expiration dates:
#test crypto pki trustpool reset
ā11-03-2015 12:19 PM
It fixed that. Should I still show expirations?
C2921-TestRouter-HQ#sho crypto pki trustpool
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 00E91C61EC059B9DD0
Certificate Usage: General Purpose
Issuer:
e=sbtg-noc@cisco.com
cn=OnPlus Root CA
ou=SBTG
o=Cisco Systems Inc.
l=Richardson
st=TX
c=US
Subject:
e=sbtg-noc@cisco.com
cn=OnPlus Root CA
ou=SBTG
o=Cisco Systems Inc.
l=Richardson
st=TX
c=US
Validity Date:
start date: 19:59:30 MDT Oct 9 2012
end date: 19:59:30 MDT Sep 30 2014
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: AB8A86B3 921B119C 4E41E18A 27C333B7
Fingerprint SHA1: BFEA0861 7B7E5D83 8CEA6763 9CCD4F11 0757A9E6
X509v3 extensions:
X509v3 Subject Key ID: 2CFBCBC5 7D021FB1 E2D80E08 162714CA 0EE14235
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 2CFBCBC5 7D021FB1 E2D80E08 162714CA 0EE14235
Authority Info Access:
Associated Trustpoints: Trustpool
Trustpool: Built-In
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 0A0141420000012BD040B46700000002
Certificate Usage: Signature
Issuer:
cn=DST Root CA X3
o=Digital Signature Trust Co.
Subject:
cn=Cisco SSCA2
o=Cisco Systems
CRL Distribution Points:
http://crl.identrust.com/DSTROOTCAX3.crl
Validity Date:
start date: 15:25:22 MDT Oct 21 2010
end date: 15:25:22 MDT Oct 22 2015
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 95FBA1E4 32EC168D 90A86611 A1140656
Fingerprint SHA1: F72A68DE 062A0C3B 198FAB1C BC87678B 1183CBC6
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: C7B01008 2FF0185F 1F904A4B 2A47AA0B 575FA4BB
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: C4A7B1A4 7B2C71FA DBE14B90 75FFC415 60858910
Authority Info Access:
OCSP URL: http://ocspts.identrust.com
X509v3 CertificatePolicies:
Policy: 1.3.6.1.4.1.9.21.1.1.0
Qualifier ID: 1.3.6.1.5.5.7.2.1
Qualifier Info: http://www.cisco.com/security/pki/policies/index.html
Extended Key Usage:
1.3.6.1.4.1.311.21.6
1.3.6.1.4.1.311.20.2.1
1.3.6.1.4.1.311.10.3.9
1.3.6.1.4.1.311.10.3.1
OCSP Signing
Time Stamping
IPSEC User
IPSEC Tunnel
IPSEC End System
Email Protection
Code Signing
Client Auth
Server Auth
Associated Trustpoints: Trustpool
Trustpool: Built-In
Thanks for your reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide