We use a Cisco router in our DC as a CA server, this weekend the old cert expired and the new one took over at approx 98% of our sites.
The ones that did not are all 1111-8P's on IOS XE. I have checked and other 1111's on the same code and they did auto renew and I have checked and I can install the cert on these ones OK.
We have been working with Cisco and we can see a small amount of two way traffic between the spoke and CA, but we can see the cert is not being transferred.
But for one site I need to get them up asap as they relie on DMVPN. The other sites do not luckily.
So apart from the above I have been trying to manually install the cert with cut and paste. Below is how it should look on a working router.
But I only seem to be able to cut and paste the CA or the Generall purpose becuase they have the same name.
Does anyone know how to do both at the same time ? The bottom is a redatcted copy of the cert export on a working router, I can only seem to cut and paste one or the other
Certificate
Status: Available
Certificate Serial Number (hex): 050A
Certificate Usage: General Purpose
Issuer:
cn=xxxxxxxx
Subject:
Name: yyyyyyyyyyy.bbbbb.com
Serial Number: FCZ2323C09C
serialNumber=FCZ2323C09C+hostname=yyyyyyyyyy.bbbbb.com
Validity Date:
start date: 20:17:20 UTC Jun 19 2022
end date: 16:17:53 UTC Aug 6 2024
renew date: 21:53:46 UTC Mar 3 2024
Associated Trustpoints: xxxxxxxx
Storage: nvram:xxxxxxx#50A.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 049B
Certificate Usage: Signature
Issuer:
cn=xxxxx
Subject:
cn=xxxxx
Validity Date:
start date: 20:17:20 UTC Jun 19 2022
end date: 20:17:20 UTC Jan 9 2026
Associated Trustpoints: xxxxxx
Storage: nvram:xxxxx#49BCA.cer
% CA certificate:
-----BEGIN CERTIFICATE-----
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
-----END CERTIFICATE-----
% General Purpose Certificate:
-----BEGIN CERTIFICATE-----
bbbbbbbbbbbbbbbbbbbbbbbbbbb
-----END CERTIFICATE-----
