Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3235
Views
0
Helpful
3
Replies

IOS CA server certificate validation failed

a.kartick
Level 1
Level 1

‎01-10-2011 11:30 PM

Hi Experts,

               We have a customer setup running Cisco Virtual Office( CVO) VPN configuration on Cisco 3845 router and itself acting as a CA server too.Due to an issue with the motherboard and AIM-VPN/SSL3 card, we did an RMA and replaced both of them.Now after that, we noticed that the site to site CVO Vpn is not coming up.upon troubleshooting, we found that the CA certificate validation is failing in the Cisco 3845 head end router and says as below.

VPN-RTR-01 (config)#Do sh cry pki ser

Certificate Server pki-server:

    Status: disabled, Failed to validate selfsigned CA certificate

    State: check failed

    Server's configuration is locked  (enter "shut" to unlock it)

    Issuer name: cn=pki-server,ou=cvo,o=cisco

    CA cert fingerprint: 36EE85F8 019A46D0 DA8A45C0 A321371C

    Granting mode is: manual

    Last certificate issued serial number: 0x5B

    CA certificate expiration timer: 13:39:58 UTC Nov 27 2015

    CRL NextUpdate timer: 07:40:00 UTC Jan 6 2011

    Current primary storage dir: nvram:

    Database Level: Minimum - no cert data written to storage

As per the cisco guidelines, we had taken backup of the certificates from the NVRAM of the old router and uploaded to the new router.but still we are not able to bring it up.Any ideas what is wrong and how it can be rectified? i am attaching a partial PKI configuration here.

Thanks

1 person had this problem
Labels:
78420-router.txt.zip
0 Helpful
3 Replies 3

rahgovin
Level 4
Level 4

‎01-11-2011 05:57 PM

Were the CA rsa keys manually created and non-exportable? 

It is not possible to manually back up a server that uses non-exportable RSA keys or manually generated non-exportable RSA keys. Although automatically generated RSA keys are marked as non-exportable, they are automatically archived once.

Also did you follow this guide to backup and restore? Did you use the pem or pkcs12 format to archive? Can you check if the pem cert has the rsa keys in them or not? Also check the current router if there the same rsa keys are present.

http://www.cisco.com/en/US/products/ps6350/products_configuration_example09186a00807f98ff.shtml

0 Helpful

a.kartick
Level 1
Level 1
In response to rahgovin

‎01-12-2011 12:58 AM

Hi Rahul,

             We have manually created the keys.However, we havent used the "exportable" keyword.So i think we generated non exportable keys. The format for backing up is PKCS12 format.we had referred the same link you mentioned in your post. we even tried the command "crypto ca certificate validate" but it says it cannot validate self signed certificate. what do you suggest?

0 Helpful

rahgovin
Level 4
Level 4
In response to a.kartick

‎01-12-2011 09:21 AM

I believe you would need to generate new CA certificates signed by new keys on the CA server. Unfortunatley, manually generated non-exportable keys will not allow the CA server to me backed up as the keys are different. Do you still have the old router with you? If so please check if you are able to export the rsa keys and import it into the new router.

0 Helpful
Customers Also Viewed These Support Documents