cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
859
Views
10
Helpful
3
Replies

Certificate Renewal and Rollover in VPN

MrBeginner
Spotlight
Spotlight

Dear Sir,

I would like to know about certificate renewal and rollover for VPN setup.

Now i am deployed VPN setup and using manual enroll for certificate enrollment.Please see below sample for my configuration. My certificate life tme is 2 years.So I need to plan before certificate life time is expired.

So i would like to know can i do auto enrollment for all routers like domain environment from group policy ?

Can i renewal certificate in routers without disruption the operation ?

Let me know how to do for best practice ?

crypto pki trustpoint my-ca
enrollment terminal
serial-number none
ip-address none
subject-name cn=R1 ou=net
revocation-check none
rsakeypair myca

3 Replies 3

Hi,

Yes, you can use SCEP to automatically enroll and re-enroll when the certificate is due for renewal.

 

Under the trustpoint you'd specify the enroll url of the scep server (in this example the scep server is a Windows server). Use the command auto-enroll to regenerate/reneroll the certificate.

 

crypto pki trustpoint LAB_PKI
enrollment url http://192.168.10.5:80/certsrv/mscep/mscep.dll
auto-enroll 30 regenerate

 

Example here.

 

HTH

Hi,

this config is new setup or I can add in existing environment?

If I can add to existing environment,can I use existing trustpoint because our ike profile is binding with trustpoint name.

 

You can amend your existing trustpoint, you would need to enroll for a new certificate (to retrieve from scep).

You should test in a lab with a short lifetime of the certificate to test the rollover. The router would need to be able to route to the SCEP server and retrieve the certificate using http.

HTH
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: