03-14-2017 03:13 AM
We have been running two separate certificate servers for approx two years without issue.
One of them did a forced reload the other night and from what I can tell it has lost one or both of its keys.
Does anyone know if I can reapply them. I tried to re-import them from backup which seemed to complete, but they are still not showing
DC-xx-xxx-RT2#sh cry pki ser
Certificate Server dmvpn-xx-RT2:
Status: disabled, Server key not found, waiting for (offline) key
State: check failed
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=xxVPNCERT
CA cert fingerprint: 1445C473 112DBE81 F01EFA73 F38383FD
Granting mode is: auto
Last certificate issued serial number (hex): 0
CA certificate expiration timer: 00:00:00 UTC Jan 1 1970
CRL not present.
Current primary storage dir: nvram
Database Level: Minimum - no cert data written to storage
Auto-Rollover configured, overlap period 50 days
DC-xx-xxx-RT2#
These files are in nvram:
DC-xx-xxx-RT2#dir nvram:
Directory of nvram:/
31 -rw- 32 <no date> dmvpn-xx-RT2.ser
34 -rw- 219 <no date> dmvpn-xx-RT2.crl
35 -rw- 1523 <no date> dmvpn-xx-RT2_00004.p12
44 -rw- 1523 <no date> dmvpn-xx-RT2_00001.p12
Only TP-self-signed keys showing. The other router has two extras for the certificate server RSA keys
sh cry key mypubkey rsa
Key name: TP-self-signed-xxxxxxx
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
"removed"
Key name: TP-self-signed-xxxxxxx.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
"removed"
03-14-2017 04:29 AM
Looks like you might just need to import the p12 certificate back into the CA trustpoint in order for the keys to be saved. Did you try this step? This is documented in the IOS CA backup and restore document here:
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-124-mainline/82153-backup-restore-ios-ca.html#configs2
03-14-2017 05:15 AM
Thanks Rahul, getting a little further. I managed to import the p12 from nvram: , recreate the server and it is now up.
But all tunnels still say MM_KEY_EXCH
03-14-2017 07:11 AM
So does your CA server also act as a headend device? You might have to re-enroll to itself. Or if you have to import the issued certificate back on the same router in another trustpoint.
If that's all there, I would run the following debugs:
1) debug crypto isakmp
2) debug crypto pki trans
3) debug crypto pki message
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide