Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
0
Helpful
3
Replies

Cisco router running as certifcate server has lost public key

Richard Tapp
Level 1
Level 1

‎03-14-2017 03:13 AM

We have been running two separate certificate servers for approx two years without issue.

One of them did a forced reload the other night and from what I can tell it has lost one or both of its keys.

Does anyone know if I can reapply them. I tried to re-import them from backup which seemed to complete, but they are still not showing


DC-xx-xxx-RT2#sh cry pki ser
Certificate Server dmvpn-xx-RT2:
    Status: disabled, Server key not found, waiting for (offline) key
    State: check failed
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=xxVPNCERT
    CA cert fingerprint: 1445C473 112DBE81 F01EFA73 F38383FD
    Granting mode is: auto
    Last certificate issued serial number (hex): 0
    CA certificate expiration timer: 00:00:00 UTC Jan 1 1970
    CRL not present.
    Current primary storage dir: nvram
    Database Level: Minimum - no cert data written to storage
    Auto-Rollover configured, overlap period 50 days
DC-xx-xxx-RT2#

These files are in nvram:

DC-xx-xxx-RT2#dir nvram:
Directory of nvram:/

    31  -rw-          32                    <no date>  dmvpn-xx-RT2.ser
   34  -rw-         219                    <no date>  dmvpn-xx-RT2.crl
   35  -rw-        1523                    <no date>  dmvpn-xx-RT2_00004.p12
     44  -rw-        1523                    <no date>  dmvpn-xx-RT2_00001.p12

Only TP-self-signed keys showing. The other router has two extras for the certificate server RSA keys

sh cry key mypubkey rsa

Key name: TP-self-signed-xxxxxxx
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  "removed"


Key name: TP-self-signed-xxxxxxx.server

Key type: RSA KEYS
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
 "removed"

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-14-2017 04:29 AM

Looks like you might just need to import the p12 certificate back into the CA trustpoint in order for the keys to be saved. Did you try this step? This is documented in the IOS CA backup and restore document here:

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-124-mainline/82153-backup-restore-ios-ca.html#configs2

0 Helpful

Richard Tapp
Level 1
Level 1
In response to Rahul Govindan

‎03-14-2017 05:15 AM

Thanks Rahul, getting a little further. I managed to import the p12 from nvram: , recreate the server and it is now up.

But all tunnels still say MM_KEY_EXCH

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Richard Tapp

‎03-14-2017 07:11 AM

So does your CA server also act as a headend device? You might have to re-enroll to itself. Or if you have to import the issued certificate back on the same router in another trustpoint.

If that's all there, I would run the following debugs:

1) debug crypto isakmp

2) debug crypto pki trans

3) debug crypto pki message

0 Helpful
Customers Also Viewed These Support Documents