cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

92
Views
10
Helpful
3
Replies
Participant

Certificate Renewal and Rollover in VPN

Dear Sir,

I would like to know about certificate renewal and rollover for VPN setup.

Now i am deployed VPN setup and using manual enroll for certificate enrollment.Please see below sample for my configuration. My certificate life tme is 2 years.So I need to plan before certificate life time is expired.

So i would like to know can i do auto enrollment for all routers like domain environment from group policy ?

Can i renewal certificate in routers without disruption the operation ?

Let me know how to do for best practice ?

crypto pki trustpoint my-ca
enrollment terminal
serial-number none
ip-address none
subject-name cn=R1 ou=net
revocation-check none
rsakeypair myca

Everyone's tags (3)
3 REPLIES 3
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Certificate Renewal and Rollover in VPN

Hi,

Yes, you can use SCEP to automatically enroll and re-enroll when the certificate is due for renewal.

 

Under the trustpoint you'd specify the enroll url of the scep server (in this example the scep server is a Windows server). Use the command auto-enroll to regenerate/reneroll the certificate.

 

crypto pki trustpoint LAB_PKI
enrollment url http://192.168.10.5:80/certsrv/mscep/mscep.dll
auto-enroll 30 regenerate

 

Example here.

 

HTH

Participant

Re: Certificate Renewal and Rollover in VPN

Hi,

this config is new setup or I can add in existing environment?

If I can add to existing environment,can I use existing trustpoint because our ike profile is binding with trustpoint name.

 

Highlighted
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Certificate Renewal and Rollover in VPN

You can amend your existing trustpoint, you would need to enroll for a new certificate (to retrieve from scep).

You should test in a lab with a short lifetime of the certificate to test the rollover. The router would need to be able to route to the SCEP server and retrieve the certificate using http.

HTH
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here