Certificate Renewal and Rollover in VPN

MrBeginner · ‎12-03-2019

Dear Sir,

I would like to know about certificate renewal and rollover for VPN setup.

Now i am deployed VPN setup and using manual enroll for certificate enrollment.Please see below sample for my configuration. My certificate life tme is 2 years.So I need to plan before certificate life time is expired.

So i would like to know can i do auto enrollment for all routers like domain environment from group policy ?

Can i renewal certificate in routers without disruption the operation ?

Let me know how to do for best practice ?

crypto pki trustpoint my-ca
enrollment terminal
serial-number none
ip-address none
subject-name cn=R1 ou=net
revocation-check none
rsakeypair myca

Rob Ingram · ‎12-03-2019

Hi,

Yes, you can use SCEP to automatically enroll and re-enroll when the certificate is due for renewal.

Under the trustpoint you'd specify the enroll url of the scep server (in this example the scep server is a Windows server). Use the command auto-enroll to regenerate/reneroll the certificate.

crypto pki trustpoint LAB_PKI
 enrollment url http://192.168.10.5:80/certsrv/mscep/mscep.dll
 auto-enroll 30 regenerate

Example here.

HTH

MrBeginner · ‎12-03-2019

Hi,

this config is new setup or I can add in existing environment?

If I can add to existing environment,can I use existing trustpoint because our ike profile is binding with trustpoint name.

Rob Ingram · ‎12-03-2019

You can amend your existing trustpoint, you would need to enroll for a new certificate (to retrieve from scep).

You should test in a lab with a short lifetime of the certificate to test the rollover. The router would need to be able to route to the SCEP server and retrieve the certificate using http.

HTH