cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2114
Views
0
Helpful
3
Replies

Auto renew digital certificates periodically

ramcm.rr
Level 1
Level 1

Hello All,

I use a cisco CA server. How can I seamlessly renew the certifactes ?Should I generate a new key pair or not?

Thanks,

Ram

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Ram,

With a bit of config you should not worry about generating new keys and such.

CA#sh cry pki timer

CS Timers

|    15:09:29.608

  |    15:09:29.608  CS CRL UPDATE

  |1031d 2:15:28.096  CS SHADOW CERT GENERATION

  |1061d 2:15:28.096  CS CERT EXPIRE

CA#sh run | s crypto pki server

crypto pki server CA

database archive pkcs12 password 7 030752180500701E1D

issuer-name CN=CA.cisco.com

grant auto rollover ca-cert

lifetime crl 36

cdp-url http://10.0.0.1/cgi-bin/pkiclient.exe?operation=GetCRL

auto-rollover

database url nvram:

You can consult "show crypto pki timer" to understand if autorollover is in effect.

I highlighted config and commands relevant.

Marcin

View solution in original post

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Ram,

With a bit of config you should not worry about generating new keys and such.

CA#sh cry pki timer

CS Timers

|    15:09:29.608

  |    15:09:29.608  CS CRL UPDATE

  |1031d 2:15:28.096  CS SHADOW CERT GENERATION

  |1061d 2:15:28.096  CS CERT EXPIRE

CA#sh run | s crypto pki server

crypto pki server CA

database archive pkcs12 password 7 030752180500701E1D

issuer-name CN=CA.cisco.com

grant auto rollover ca-cert

lifetime crl 36

cdp-url http://10.0.0.1/cgi-bin/pkiclient.exe?operation=GetCRL

auto-rollover

database url nvram:

You can consult "show crypto pki timer" to understand if autorollover is in effect.

I highlighted config and commands relevant.

Marcin

Thanks Marcin. I will test it

Ram,

I assumed we were talking about rolling over the CA certificate and not user certificates?

With user certificates the only way to make the rollover automatically is to use SCEP enrollment, and yes, proper timer should be inserted into "sh crypto pki timer" in that case too.

I do not suggest generating new RSA keys, unless you're concenrned about security.

Marcin