Re: Certificate Renewal Process

berndtonn · ‎11-15-2004

Dear all,

for our VPN clients connecting to our VPN3k concentrator we are using digital certificates (issued by our CA Netscape CMS). So far we didn't had problems, but now we have detected that our first certificates will expire in a few weeks.

What is the normal, recommended procedure for that ? In the VPN client we can't see any button to initiate a certificate renewal. Is that a function the CA should provide somehow ? Is there any way to renew a certificate more or less automatically ? Or do we have to revoce and re-enroll all certificates manually ?

Any comments are welcome.

Best regards,

Bernd

stefan.kristiansson · ‎11-15-2004

Hi Bernd

We have the same problem, We can't renew the certificates thru the VPN client software.

Due to this we need to reapply the certs each year.

If you find a solution , it would be nice to hear how you solved it.

/Brgds Stefan

milan.kulik · ‎11-16-2004

Hi,

do you see the client certificate via Microsoft Management Console program (mmc.exe) on the client PC?

If yes, try to renew the certificate with this program.

Regards,

Milan

berndtonn · ‎11-17-2004

Dear Milan,

I can not see the certificate there. How can I get that working ? The VPN client certificat is in the Cisco store, all others in the Microsoft store !? What kind of certificate snap-in should I use ? I guess I had to export my certificate from the VPN client, but what type of certificate (PFX, CER) should I use ?

Best regards,

Bernd

milan.kulik · ‎11-18-2004

Hi Bernd,

I've got no experience with the Cisco certificate store. (I considered it not secure enough when I realized in my lab it was possible to export a certificate without knowing the private key password and after importing it into another PC it worked OK.)

So I'm using Cisco VPN client with certificates left in the Microsoft store.

And Microsoft Management Console enables to Renew the certificate (with the same or new key).

Just an idea:

I'd try to export the certificate from the Cisco store to a file and import it into Microsoft store (it should support both .pfx and .cer, afaik).

Then I'd try to renew the certificate via MMC.

(I don't know renewing details - I'm playing with certificates a short time and I've got no certificate expired so far.)

The renewed certificate could be either left in the Microsoft store (and the VPN client connection entry modified to use a certificate from Microsoft store) or imported back to the Cisco store.

Sounds pretty complicated, doesn't it?

But it might work...

Best regards,

Milan

berndtonn · ‎11-18-2004

Dear Milan,

unfortunately I haven't been successful in importing the files exported from the VPN client. For me it seems that CISCO uses a proprietary format.

Best regards,

Bernd

milan.kulik · ‎11-18-2004

Hi Bernd,

I've found an interesting bug CSCef69451 on CCO.

But generally, I've got a feeling there is no way to renew the certificate saved in the Cisco store.

When I looked to the documentation (http://www.cisco.com/en/US/customer/products/sw/secursw/ps2308/products_user_guide_chapter09186a008031f1c5.html#wp1230419), I've found following note:

"The current date is after the certificate's valid end date. You need to enroll for a new certificate."

So I'd try to open a TAC case and ask a question if there is really no way how to renew an expired VPN client certificate.

Regards,

Milan