Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2362
Views
0
Helpful
9
Replies

Configuring the Cisco IOS CA Server message

Go to solution
fsebera
Level 4
Level 4

‎10-22-2010 11:26 AM

When creating the IOS CA server, when the database url command was added, I received the mesage (in blue below).

QUESTION: What does this message mean and how do I address the statement? How do I move the existing database to the new location? What is the source location? Hints would be nice but exact cli would be greatly appreciate!!

Thanks again

Frank

R1(config)#crypto key generate rsa general-keys label Eight-miles modulus 1024 exportable
R1(config)#crypto key export rsa Eight-miles pem url nvram: 3des Pr0tectM3
R1(config)#crypto pki server Eight-miles
R1(cs-server)#database level complete
R1(cs-server)#database url nvram
% Server database url was changed. You need to move the
% existing database to the new location.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-22-2010 12:54 PM

Hello,

If you specify what kind of files are going to the NVRAM, the message dissapears, for example, if you tell the router to save the CRL on the NVRAM the problem goes away.

Router(cs-server)#database url pem nvram
Router(cs-server)#database url nvram
% Server database url was changed. You need to move the
% existing database to the new location.
Router(cs-server)#

Hope it helps

Mike

Mike

View solution in original post

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to fsebera

‎10-26-2010 12:08 AM

Frank,

Yes, CA router can participate in IPsec - with certificates from itself, two BUTs:

- It's not best practice

- Remember to enroll the CA router to itself (you need to have both Identity and CA cert present)

Marcin

View solution in original post

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to fsebera

‎10-26-2010 07:45 AM

Frank,

I always direct people here when planning PKI deployments:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pki_overview_ps6441_TSD_Products_Configuration_Guide_Chapter.html

This whole tree of configuration guide contains more info than you can shake a stick at ;-)

Please make sure you mark this thread as answered ;-)

Marcin

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-22-2010 12:36 PM

Frank,

If this is a new deployment did you already unshut the server prior to configuring url?

It's safe to say that if server was shut down while you were configuring it intially nothing was saved at "old" location.

This is there for people who might for example decide that they would like to move their cert files to an external location or to flash: etc etc.

You need to move existing database manully to make sure CA server is working properly after database URL changed.

Marcin

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to Marcin Latosiewicz

‎10-22-2010 12:50 PM

Marcin,

I just tried to do that and I got the same error message, it does not let you specify a database if the CA is running.

Mike

Mike
0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Maykol Rojas

‎10-22-2010 12:56 PM

Mike,

I don't belive you can make any CLI changes to CA server unless you shut it down :-)

At least that's my recollection.

What I was asking, in fact was, if they unshut it at any time before configuring the URL.

Marcin

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to Marcin Latosiewicz

‎10-22-2010 01:34 PM

Yeah, you are right, i missunderstood your post then, but funny thing, you saw the post below? If you specify which files are going
to the specified location, the error  is not shown ....

Cheers

Mike

Mike
0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-22-2010 12:54 PM

Hello,

If you specify what kind of files are going to the NVRAM, the message dissapears, for example, if you tell the router to save the CRL on the NVRAM the problem goes away.

Router(cs-server)#database url pem nvram
Router(cs-server)#database url nvram
% Server database url was changed. You need to move the
% existing database to the new location.
Router(cs-server)#

Hope it helps

Mike

Mike
0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Maykol Rojas

‎10-25-2010 05:34 PM

Great so I just need to specify the file type. I can do that!!! THANKS!

Also, I only have 2 routers in my setup (I.E. R1 and R2)

R1 g0/0 is directly connected to R2 g0/0

R1 g0/0 192.168.1.1 /24

R2 g0/0 192.168.1.2 /24

Can either of these two routers also perform as the PKI CA server?

OR do I need at least three routers?

EXAMPLE:

R1 will be an IPsec VPN peer to R2 both using rsa-sig PKI authentication.

R1 will also perform the PKI CA server functions.

R1 will also manually "grant" certificates to R1 as well as R2. (perhaps later I will change to automatic granting)

I just cannot get the 2 router setup working.

Thanks again

Frank

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to fsebera

‎10-26-2010 12:08 AM

Frank,

Yes, CA router can participate in IPsec - with certificates from itself, two BUTs:

- It's not best practice

- Remember to enroll the CA router to itself (you need to have both Identity and CA cert present)

Marcin

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Marcin Latosiewicz

‎10-26-2010 06:12 AM

Great, at least I have this part understood.

I am using many different documents to understand and configure PKI.

My goal is to get PKI working in my work lab and then move into production once better understood.

I am referencing these two docs, perhaps there is something better that YOU could recommend.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.pdf

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html

I also tried the CCIE Security Cisco Press book but that was no help at all.

Thanks again

Frank

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to fsebera

‎10-26-2010 07:45 AM

Frank,

I always direct people here when planning PKI deployments:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pki_overview_ps6441_TSD_Products_Configuration_Guide_Chapter.html

This whole tree of configuration guide contains more info than you can shake a stick at ;-)

Please make sure you mark this thread as answered ;-)

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents