Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2036
Views
0
Helpful
3
Replies

Auto renew digital certificates periodically

Go to solution
ramcm.rr
Level 1
Level 1

‎07-27-2011 06:56 PM

Hello All,

I use a cisco CA server. How can I seamlessly renew the certifactes ?Should I generate a new key pair or not?

Thanks,

Ram

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-28-2011 02:39 AM

Ram,

With a bit of config you should not worry about generating new keys and such. 

CA#sh cry pki timer
CS Timers
|    15:09:29.608
  |    15:09:29.608  CS CRL UPDATE
  |1031d 2:15:28.096  CS SHADOW CERT GENERATION
  |1061d 2:15:28.096  CS CERT EXPIRE
CA#sh run | s crypto pki server
crypto pki server CA
 database archive pkcs12 password 7 030752180500701E1D
 issuer-name CN=CA.cisco.com
 grant auto rollover ca-cert
 lifetime crl 36
 cdp-url http://10.0.0.1/cgi-bin/pkiclient.exe?operation=GetCRL
 auto-rollover
 database url nvram:

You can consult "show crypto pki timer" to understand if autorollover is in effect.

I highlighted config and commands relevant.

Marcin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-28-2011 02:39 AM

Ram,

With a bit of config you should not worry about generating new keys and such. 

CA#sh cry pki timer
CS Timers
|    15:09:29.608
  |    15:09:29.608  CS CRL UPDATE
  |1031d 2:15:28.096  CS SHADOW CERT GENERATION
  |1061d 2:15:28.096  CS CERT EXPIRE
CA#sh run | s crypto pki server
crypto pki server CA
 database archive pkcs12 password 7 030752180500701E1D
 issuer-name CN=CA.cisco.com
 grant auto rollover ca-cert
 lifetime crl 36
 cdp-url http://10.0.0.1/cgi-bin/pkiclient.exe?operation=GetCRL
 auto-rollover
 database url nvram:

You can consult "show crypto pki timer" to understand if autorollover is in effect.

I highlighted config and commands relevant.

Marcin

0 Helpful

Go to solution
ramcm.rr
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-28-2011 07:25 PM

Thanks Marcin. I will test it

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to ramcm.rr

‎07-29-2011 12:43 AM

Ram,

I assumed we were talking about rolling over the CA certificate and not user certificates?

With user certificates the only way to make the rollover automatically is to use SCEP enrollment, and yes, proper timer should be inserted into "sh crypto pki timer" in that case too.

I do not suggest generating new RSA keys, unless you're concenrned about security.

Marcin

0 Helpful
Customers Also Viewed These Support Documents