cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
216
Views
0
Helpful
0
Replies
Boris Simunko
Beginner

certificate gone missing from router

hello!

 

we are having some issues with a customer who uses certificates for router VPN authentication. the certificates are issued from their CA server and pushed to the routers, but it has happened on a couple of devices that the certificate would disappear from NVRAM after router reload (but it would happen randomly).

online documentation says that the certificates are saved in NVRAM by default, and if the configuration was saved they should be present after reload....

anyone had similar issues?

 

the routers are mostly 870 series with various software versions, happened on

c870-adventerprisek9-mz.124-15.T13.bin

c870-adventerprisek9-mz.124-24.T5.bin

 

the configuration and enrollment process is the following (censored):

crypto key generate rsa general-keys label XXXXXXXXXX modulus 2048
crypto ca trustpoint XXXXXXXXXX
enrollment url http://XXXXXXXXXX
subject-name CN=XXXXXXXXXX,OU=XXXXXXXXXX,DC=XXXXXXXXXX,DC=local
rsakeypair XXXXXXXXXX
revocation-check none
source interface vlan 50
password XXXXXXXXXX
 
crypto pki authenticate XXXXXXXXXX
 
crypto pki enroll XXXXXXXXXX
 
1251042#sh crypto pki certificates verbose
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 02EC
  Certificate Usage: General Purpose
  Issuer:
    cn=XXXXXXXXXX
    c=XXXXXXXXXX
    ou=XXXXXXXXXX
    o=XXXXXXXXXX
    dc=XXXXXXXXXX
    dc=local
  Subject:
    Name: 1251042.domain
    hostname=1251042.domain
    cn=1251042
    ou=XXXXXXXXXX
    dc=XXXXXXXXXX
    dc=local
  Validity Date:
    start date: 08:06:16 UTC Aug 22 2014
    end   date: 08:06:16 UTC Aug 19 2024
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: BD300580 54039A62 B4AA7E0E A0E9E25C
  Fingerprint SHA1: DAC916C4 8E4D5A6D 30C26DE5 0F8FFB7D 18141265
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: B5ED2A78 A52DE7C5 6E67621D 0BCDBDE0 5B7A3CA0
    X509v3 Authority Key ID: 7A972010 5CDCBA6B 9DD5D8D8 EA17DF2B 2973156D
    Authority Info Access:
  Associated Trustpoints: XXXXXXXXXX
  Key Label: XXXXXXXXXX
  Key storage device: private config
 
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=XXXXXXXXXX
    c=XXXXXXXXXX
    ou=XXXXXXXXXX
    o=XXXXXXXXXX
    dc=XXXXXXXXXX
    dc=local
  Subject:
    cn=XXXXXXXXXX
    c=XXXXXXXXXX
    ou=XXXXXXXXXX
    o=XXXXXXXXXX
    dc=XXXXXXXXXX
    dc=local
  Validity Date:
    start date: 14:18:59 UTC Jul 12 2012
    end   date: 14:18:59 UTC Jul 12 2032
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: 3F57A1E9 0874A3C6 17612748 82626E7E
  Fingerprint SHA1: 9C3B9BB0 3E7B7DDF 842E06D6 589610DB CBC35FFF
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 7A972010 5CDCBA6B 9DD5D8D8 EA17DF2B 2973156D
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 7A972010 5CDCBA6B 9DD5D8D8 EA17DF2B 2973156D
    Authority Info Access:
  Associated Trustpoints: XXXXXXXXXX
 
crypto pki authenticate XXXXXXXXXX
crypto pki enroll XXXXXXXXXX

 

0 REPLIES 0
Content for Community-Ad