I would like to know about certificate renewal and rollover for VPN setup.
Now i am deployed VPN setup and using manual enroll for certificate enrollment.Please see below sample for my configuration. My certificate life tme is 2 years.So I need to plan before certificate life time is expired.
So i would like to know can i do auto enrollment for all routers like domain environment from group policy ?
Can i renewal certificate in routers without disruption the operation ?
Let me know how to do for best practice ?
crypto pki trustpoint my-ca
subject-name cn=R1 ou=net
Yes, you can use SCEP to automatically enroll and re-enroll when the certificate is due for renewal.
Under the trustpoint you'd specify the enroll url of the scep server (in this example the scep server is a Windows server). Use the command auto-enroll to regenerate/reneroll the certificate.
crypto pki trustpoint LAB_PKI
enrollment url http://192.168.10.5:80/certsrv/mscep/mscep.dll
auto-enroll 30 regenerate
this config is new setup or I can add in existing environment?
If I can add to existing environment,can I use existing trustpoint because our ike profile is binding with trustpoint name.