10-22-2010 11:26 AM
When creating the IOS CA server, when the database url command was added, I received the mesage (in blue below).
QUESTION: What does this message mean and how do I address the statement? How do I move the existing database to the new location? What is the source location? Hints would be nice but exact cli would be greatly appreciate!!
Thanks again
Frank
R1(config)#crypto key generate rsa general-keys label Eight-miles modulus 1024 exportable
R1(config)#crypto key export rsa Eight-miles pem url nvram: 3des Pr0tectM3
R1(config)#crypto pki server Eight-miles
R1(cs-server)#database level complete
R1(cs-server)#database url nvram
% Server database url was changed. You need to move the
% existing database to the new location.
Solved! Go to Solution.
10-22-2010 12:54 PM
Hello,
If you specify what kind of files are going to the NVRAM, the message dissapears, for example, if you tell the router to save the CRL on the NVRAM the problem goes away.
Router(cs-server)#database url pem nvram
Router(cs-server)#database url nvram
% Server database url was changed. You need to move the
% existing database to the new location.
Router(cs-server)#
Hope it helps
Mike
10-26-2010 12:08 AM
Frank,
Yes, CA router can participate in IPsec - with certificates from itself, two BUTs:
- It's not best practice
- Remember to enroll the CA router to itself (you need to have both Identity and CA cert present)
Marcin
10-26-2010 07:45 AM
Frank,
I always direct people here when planning PKI deployments:
This whole tree of configuration guide contains more info than you can shake a stick at ;-)
Please make sure you mark this thread as answered ;-)
Marcin
10-22-2010 12:36 PM
Frank,
If this is a new deployment did you already unshut the server prior to configuring url?
It's safe to say that if server was shut down while you were configuring it intially nothing was saved at "old" location.
This is there for people who might for example decide that they would like to move their cert files to an external location or to flash: etc etc.
You need to move existing database manully to make sure CA server is working properly after database URL changed.
Marcin
10-22-2010 12:50 PM
Marcin,
I just tried to do that and I got the same error message, it does not let you specify a database if the CA is running.
Mike
10-22-2010 12:56 PM
Mike,
I don't belive you can make any CLI changes to CA server unless you shut it down :-)
At least that's my recollection.
What I was asking, in fact was, if they unshut it at any time before configuring the URL.
Marcin
10-22-2010 01:34 PM
Yeah, you are right, i missunderstood your post then, but funny thing, you saw the post below? If you specify which files are going
to the specified location, the error is not shown ....
Cheers
Mike
10-22-2010 12:54 PM
Hello,
If you specify what kind of files are going to the NVRAM, the message dissapears, for example, if you tell the router to save the CRL on the NVRAM the problem goes away.
Router(cs-server)#database url pem nvram
Router(cs-server)#database url nvram
% Server database url was changed. You need to move the
% existing database to the new location.
Router(cs-server)#
Hope it helps
Mike
10-25-2010 05:34 PM
Great so I just need to specify the file type. I can do that!!! THANKS!
Also, I only have 2 routers in my setup (I.E. R1 and R2)
R1 g0/0 is directly connected to R2 g0/0
R1 g0/0 192.168.1.1 /24
R2 g0/0 192.168.1.2 /24
Can either of these two routers also perform as the PKI CA server?
OR do I need at least three routers?
EXAMPLE:
R1 will be an IPsec VPN peer to R2 both using rsa-sig PKI authentication.
R1 will also perform the PKI CA server functions.
R1 will also manually "grant" certificates to R1 as well as R2. (perhaps later I will change to automatic granting)
I just cannot get the 2 router setup working.
Thanks again
Frank
10-26-2010 12:08 AM
Frank,
Yes, CA router can participate in IPsec - with certificates from itself, two BUTs:
- It's not best practice
- Remember to enroll the CA router to itself (you need to have both Identity and CA cert present)
Marcin
10-26-2010 06:12 AM
Great, at least I have this part understood.
I am using many different documents to understand and configure PKI.
My goal is to get PKI working in my work lab and then move into production once better understood.
I am referencing these two docs, perhaps there is something better that YOU could recommend.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.pdf
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html
I also tried the CCIE Security Cisco Press book but that was no help at all.
Thanks again
Frank
10-26-2010 07:45 AM
Frank,
I always direct people here when planning PKI deployments:
This whole tree of configuration guide contains more info than you can shake a stick at ;-)
Please make sure you mark this thread as answered ;-)
Marcin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: