01-10-2011 11:30 PM
Hi Experts,
We have a customer setup running Cisco Virtual Office( CVO) VPN configuration on Cisco 3845 router and itself acting as a CA server too.Due to an issue with the motherboard and AIM-VPN/SSL3 card, we did an RMA and replaced both of them.Now after that, we noticed that the site to site CVO Vpn is not coming up.upon troubleshooting, we found that the CA certificate validation is failing in the Cisco 3845 head end router and says as below.
VPN-RTR-01 (config)#Do sh cry pki ser
Certificate Server pki-server:
Status: disabled, Failed to validate selfsigned CA certificate
State: check failed
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=pki-server,ou=cvo,o=cisco
CA cert fingerprint: 36EE85F8 019A46D0 DA8A45C0 A321371C
Granting mode is: manual
Last certificate issued serial number: 0x5B
CA certificate expiration timer: 13:39:58 UTC Nov 27 2015
CRL NextUpdate timer: 07:40:00 UTC Jan 6 2011
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
As per the cisco guidelines, we had taken backup of the certificates from the NVRAM of the old router and uploaded to the new router.but still we are not able to bring it up.Any ideas what is wrong and how it can be rectified? i am attaching a partial PKI configuration here.
01-11-2011 05:57 PM
Were the CA rsa keys manually created and non-exportable?
It is not possible to manually back up a server that uses non-exportable RSA keys or manually generated non-exportable RSA keys. Although automatically generated RSA keys are marked as non-exportable, they are automatically archived once.
Also did you follow this guide to backup and restore? Did you use the pem or pkcs12 format to archive? Can you check if the pem cert has the rsa keys in them or not? Also check the current router if there the same rsa keys are present.
http://www.cisco.com/en/US/products/ps6350/products_configuration_example09186a00807f98ff.shtml
01-12-2011 12:58 AM
Hi Rahul,
We have manually created the keys.However, we havent used the "exportable" keyword.So i think we generated non exportable keys. The format for backing up is PKCS12 format.we had referred the same link you mentioned in your post. we even tried the command "crypto ca certificate validate" but it says it cannot validate self signed certificate. what do you suggest?
01-12-2011 09:21 AM
I believe you would need to generate new CA certificates signed by new keys on the CA server. Unfortunatley, manually generated non-exportable keys will not allow the CA server to me backed up as the keys are different. Do you still have the old router with you? If so please check if you are able to export the rsa keys and import it into the new router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide