Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1772
Views
0
Helpful
1
Replies

PKI Auto enrollment - Auto save

Go to solution
lmajor
Level 1
Level 1

‎11-13-2019 02:26 AM - edited ‎02-21-2020 09:48 PM

Dear All

 

I'm trying to setup a DMVPN environment with Win based PKI infrastructure. I would use SCEP for enrollment, and I would also use auto-enroll feature with RSA key roll-over (auto-enroll regenerate). It's working properly, however when a new RSA key is generated by the router and new certificate arrives via SCEP, the router stores the new values on NVRAM only. The logs contains the following: "%PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate" Is it possible to force the router to save the new RSA key and cert details into the startup config without manual intervention? (EEM could be an option, but there might be a better way to save just this info, i.e. to avoid problems if certificate is renewed when other changes are in progress on the box). 

 

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lmajor
Level 1
Level 1

‎11-13-2019 03:18 AM

Dear All

 

Meanwhile I could figured out this topic in my lab. Looks like the device saves the new key and cert during re-certification, if running config was saved as startup config before. But if running config is newer than the startup config (even if somebody just entered into conf t mode, but did not change anything), the router will not save the new key and cert but generates the "%PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate" message

 

Thank you

View solution in original post

0 Helpful
1 Reply 1

Go to solution
lmajor
Level 1
Level 1

‎11-13-2019 03:18 AM

Dear All

 

Meanwhile I could figured out this topic in my lab. Looks like the device saves the new key and cert during re-certification, if running config was saved as startup config before. But if running config is newer than the startup config (even if somebody just entered into conf t mode, but did not change anything), the router will not save the new key and cert but generates the "%PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate" message

 

Thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents