11-15-2004 04:17 AM
Dear all,
for our VPN clients connecting to our VPN3k concentrator we are using digital certificates (issued by our CA Netscape CMS). So far we didn't had problems, but now we have detected that our first certificates will expire in a few weeks.
What is the normal, recommended procedure for that ? In the VPN client we can't see any button to initiate a certificate renewal. Is that a function the CA should provide somehow ? Is there any way to renew a certificate more or less automatically ? Or do we have to revoce and re-enroll all certificates manually ?
Any comments are welcome.
Best regards,
Bernd
11-15-2004 07:17 AM
Hi Bernd
We have the same problem, We can't renew the certificates thru the VPN client software.
Due to this we need to reapply the certs each year.
If you find a solution , it would be nice to hear how you solved it.
/Brgds Stefan
11-16-2004 09:32 AM
Hi,
do you see the client certificate via Microsoft Management Console program (mmc.exe) on the client PC?
If yes, try to renew the certificate with this program.
Regards,
Milan
11-17-2004 03:01 AM
Dear Milan,
I can not see the certificate there. How can I get that working ? The VPN client certificat is in the Cisco store, all others in the Microsoft store !? What kind of certificate snap-in should I use ? I guess I had to export my certificate from the VPN client, but what type of certificate (PFX, CER) should I use ?
Best regards,
Bernd
11-18-2004 02:23 AM
Hi Bernd,
I've got no experience with the Cisco certificate store. (I considered it not secure enough when I realized in my lab it was possible to export a certificate without knowing the private key password and after importing it into another PC it worked OK.)
So I'm using Cisco VPN client with certificates left in the Microsoft store.
And Microsoft Management Console enables to Renew the certificate (with the same or new key).
Just an idea:
I'd try to export the certificate from the Cisco store to a file and import it into Microsoft store (it should support both .pfx and .cer, afaik).
Then I'd try to renew the certificate via MMC.
(I don't know renewing details - I'm playing with certificates a short time and I've got no certificate expired so far.)
The renewed certificate could be either left in the Microsoft store (and the VPN client connection entry modified to use a certificate from Microsoft store) or imported back to the Cisco store.
Sounds pretty complicated, doesn't it?
But it might work...
Best regards,
Milan
11-18-2004 03:51 AM
Dear Milan,
unfortunately I haven't been successful in importing the files exported from the VPN client. For me it seems that CISCO uses a proprietary format.
Best regards,
Bernd
11-18-2004 11:31 PM
Hi Bernd,
I've found an interesting bug CSCef69451 on CCO.
But generally, I've got a feeling there is no way to renew the certificate saved in the Cisco store.
When I looked to the documentation (http://www.cisco.com/en/US/customer/products/sw/secursw/ps2308/products_user_guide_chapter09186a008031f1c5.html#wp1230419), I've found following note:
"The current date is after the certificate's valid end date. You need to enroll for a new certificate."
So I'd try to open a TAC case and ask a question if there is really no way how to renew an expired VPN client certificate.
Regards,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide