09-09-2013 06:35 AM - edited 02-21-2020 07:08 PM
Hello
I am trying to open IPSEC tunnel between 2 Cisco Routers 3800 using additional 3800 Router as CA server .
Before I added the CA server everything go smoothly .
Attached my setup ,Attached debug commands from the CA server and router configuration
It seems as the routers doesn't receive the certificate from the CA Router (R3) because i see Certificate is pending in the status :
#
R3#
R3#show crypto pki certificate verbose cisco
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=cisco1.cisco.com L\=RTP C\=US
Subject:
cn=cisco1.cisco.com L\=RTP C\=US
Validity Date:
start date: 10:12:13 UTC Sep 8 2013
end date: 10:12:13 UTC Sep 7 2016
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Signature Algorithm: MD5 with RSA Encryption
Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 56F091F7 7016A63F 89B46900 B13E6719 8B0D548E
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 56F091F7 7016A63F 89B46900 B13E6719 8B0D548E
Authority Info Access:
Associated Trustpoints: cisco
Storage: nvram:cisco1ciscoc#4CA.cer
R3#
Appreciate your assitance and I will send additional evidence if necessary
tx
Roee
Solved! Go to Solution.
09-11-2013 02:46 AM
I haven't looked at your configuration, but accroding to your description it sounds like you haven't approved the pending certificate requests on your CA router. Here are the commands that you need:
To view pending requests:
crypto pki server "CA router" info requests
To grant pending requests:
crypto pki server "CA router" info grant all
09-11-2013 02:46 AM
I haven't looked at your configuration, but accroding to your description it sounds like you haven't approved the pending certificate requests on your CA router. Here are the commands that you need:
To view pending requests:
crypto pki server "CA router" info requests
To grant pending requests:
crypto pki server "CA router" info grant all
09-11-2013 05:25 AM
thanku very much
In my router the commands are :
crypto pki server "cisco1"
grant auto
09-12-2013 07:24 AM
I recommend that you configure NTP on the CA router. Whenever you use digifital certificates you need to make sure that your devices all agree on a common time, and NTP is the easiest way to do that.
It would also help if you posted the current configuration of all 3 routers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide