Solved: Trustpool expiration on 3750-X

s.fasel · ‎03-11-2014

Hi,

few days ago, we received these logs from a 3750-X stack (IOS version 15.0(2)SE2):

Mar 8 11:11:52.680: %PKI-4-TRUSTPOOL_EXPIRATION_WARNING: The Trustpool will expire in 20 days

Mar 8 11:11:52.680: %PKI-4-TRUSTPOOL_AUTO_UPDATE_DISABLED: Auto-trustpool update is disabled.

if I look the documentation "PKI Trustpool Management" , it's wrote:

The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions..... The PKI trustpool timer matches the CA certificate with the earliest expiration time. If the timer is running and a bundle location is not configured and not explicitly disabled, syslog warnings are issued to alert the administrator that the PKI trustpool policy option is not set.

PKI Trustpool Management is enabled by default... But, it's possible to disable it ? if yes, how ?

because we don't use "https server" on our 3750-X, I think that isn't necessary to use "PKI Trustpool"... correct ?

thanks a lot for your help

best regards

Sam

zhao lu · ‎10-27-2014

It can be ignored. My router is working without problems.

View solution in original post

kerstin-534 · ‎10-27-2014

I have the same problem

trustpool will expire 2028 and the switch starts complaining today

Oct 26 14:22:08.937 MEST: %PKI-4-TRUSTPOOL_EXPIRATION_WARNING: The Trustpool will expire in 20 days.

Does anything stop working in 20 days ??

switch#show crypto pki trustpool policy
Load for five secs: 35%/0%; one minute: 28%; five minutes: 29%
Time source is NTP, 11:44:56.719 MET Mon Oct 27 2014

Trustpool Policy

Chain validation will stop at the first CA certificate in the pool
Trustpool CA certificates will expire 01:59:59 MEST Aug 3 2028

zhao lu · ‎10-27-2014

It can be ignored. My router is working without problems.

o.melendres · ‎10-21-2015

It is possible to update the Trustpool certificates following the procedure indicated in the following document,

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-pki-trustpool-mgmt.html

The command to update the certificates is:

Router(config)# crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

kbyrd · ‎10-28-2015

The command works, however I went from 4 certs to 142 certs. And they have crazy expiration dates:

start date: 10:25:36 EDT Dec 18 2012
end date: 04:27:20 EDT Nov 12 1901

start date: 05:06:56 MDT Jul 19 2012
end date: 22:38:40 MDT Jun 12 1906

start date: 20:00:00 MDT Sep 30 1999
end date: 13:31:43 MDT Jun 10 1900

etc.

Can someone let us know if this is a best practice to issue this command on our production devices?

reijo.hakala · ‎11-03-2015

This fixes crazy expiration dates:

#test crypto pki trustpool reset

kbyrd · ‎11-03-2015

It fixed that. Should I still show expirations?

C2921-TestRouter-HQ#sho crypto pki trustpool
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 00E91C61EC059B9DD0
Certificate Usage: General Purpose
Issuer:
    e=sbtg-noc@cisco.com
    cn=OnPlus Root CA
    ou=SBTG
    o=Cisco Systems Inc.
    l=Richardson
    st=TX
    c=US
Subject:
    e=sbtg-noc@cisco.com
    cn=OnPlus Root CA
    ou=SBTG
    o=Cisco Systems Inc.
    l=Richardson
    st=TX
    c=US
Validity Date:
    start date: 19:59:30 MDT Oct 9 2012
    end   date: 19:59:30 MDT Sep 30 2014
Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (4096 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: AB8A86B3 921B119C 4E41E18A 27C333B7
Fingerprint SHA1: BFEA0861 7B7E5D83 8CEA6763 9CCD4F11 0757A9E6
X509v3 extensions:
    X509v3 Subject Key ID: 2CFBCBC5 7D021FB1 E2D80E08 162714CA 0EE14235
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 2CFBCBC5 7D021FB1 E2D80E08 162714CA 0EE14235
    Authority Info Access:
Associated Trustpoints: Trustpool
Trustpool: Built-In

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 0A0141420000012BD040B46700000002
Certificate Usage: Signature
Issuer:
    cn=DST Root CA X3
    o=Digital Signature Trust Co.
Subject:
    cn=Cisco SSCA2
    o=Cisco Systems
CRL Distribution Points:
    http://crl.identrust.com/DSTROOTCAX3.crl
Validity Date:
    start date: 15:25:22 MDT Oct 21 2010
    end   date: 15:25:22 MDT Oct 22 2015
Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 95FBA1E4 32EC168D 90A86611 A1140656
Fingerprint SHA1: F72A68DE 062A0C3B 198FAB1C BC87678B 1183CBC6
X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: C7B01008 2FF0185F 1F904A4B 2A47AA0B 575FA4BB
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: C4A7B1A4 7B2C71FA DBE14B90 75FFC415 60858910
    Authority Info Access:
        OCSP URL: http://ocspts.identrust.com
    X509v3 CertificatePolicies:
        Policy: 1.3.6.1.4.1.9.21.1.1.0
            Qualifier ID: 1.3.6.1.5.5.7.2.1
            Qualifier Info: http://www.cisco.com/security/pki/policies/index.html
    Extended Key Usage:
        1.3.6.1.4.1.311.21.6
        1.3.6.1.4.1.311.20.2.1
        1.3.6.1.4.1.311.10.3.9
        1.3.6.1.4.1.311.10.3.1
        OCSP Signing
        Time Stamping
        IPSEC User
        IPSEC Tunnel
        IPSEC End System
        Email Protection
        Code Signing
        Client Auth
        Server Auth
Associated Trustpoints: Trustpool
Trustpool: Built-In

Thanks for your reply.