cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
253
Views
5
Helpful
2
Replies

Issue with certifcate on 1111-8P

Richard Tapp
Beginner
Beginner

We use a Cisco router in our DC as a CA server, this weekend the old cert expired and the new one took over at approx 98% of our sites.

 

The ones that did not are all 1111-8P's on IOS XE. I have checked and other 1111's on the same code and they did auto renew and I have checked and I can install the cert on these ones OK.

 

We have been working with Cisco and we can see a small amount of two way traffic between the spoke and CA, but we can see the cert is not being transferred.

But for one site I need to get them up asap as they relie on DMVPN. The other sites do not luckily.

 

So apart from the above I have been trying to manually install the cert with cut and paste. Below is how it should look on a working router.

But I only seem to be able to cut and paste the CA or the Generall purpose becuase they have the same name.

 

Does anyone know how to do both at the same time ? The bottom is a redatcted copy of the cert export on a working router, I can only seem to cut and paste one or the other

 

Certificate

  Status: Available

  Certificate Serial Number (hex): 050A

  Certificate Usage: General Purpose

  Issuer:

    cn=xxxxxxxx

  Subject:

    Name: yyyyyyyyyyy.bbbbb.com

    Serial Number: FCZ2323C09C

    serialNumber=FCZ2323C09C+hostname=yyyyyyyyyy.bbbbb.com

  Validity Date:

    start date: 20:17:20 UTC Jun 19 2022

    end   date: 16:17:53 UTC Aug 6 2024

    renew date: 21:53:46 UTC Mar 3 2024

  Associated Trustpoints: xxxxxxxx

  Storage: nvram:xxxxxxx#50A.cer

 

CA Certificate

  Status: Available

  Certificate Serial Number (hex): 049B

  Certificate Usage: Signature

  Issuer:

    cn=xxxxx

  Subject:

    cn=xxxxx

  Validity Date:

    start date: 20:17:20 UTC Jun 19 2022

    end   date: 20:17:20 UTC Jan 9 2026

  Associated Trustpoints: xxxxxx

  Storage: nvram:xxxxx#49BCA.cer

 

 

 

 

% CA certificate:

-----BEGIN CERTIFICATE-----

bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

-----END CERTIFICATE-----

 

% General Purpose Certificate:

-----BEGIN CERTIFICATE-----

bbbbbbbbbbbbbbbbbbbbbbbbbbb

-----END CERTIFICATE-----

 

 

2 Replies 2

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Richard Tapp to import the CA certificate you use "crypto pki authenticate <Trustpointname>" and to generate the CSR you use "crypto pki enroll <trustpointname>" once the certificate is signed by the CA, you use "crypto import certificate"

 

Example:

https://integratingit.wordpress.com/2017/08/26/cisco-ios-certificate-enrollment-via-scep/

 

Rob

Thanks, I will try that in a minute if needed. Cisco have just suggested something

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers