Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
5
Helpful
2
Replies

Issue with certifcate on 1111-8P

Richard Tapp
Level 1
Level 1

‎06-21-2022 02:28 AM - edited ‎06-21-2022 02:29 AM

We use a Cisco router in our DC as a CA server, this weekend the old cert expired and the new one took over at approx 98% of our sites.

 

The ones that did not are all 1111-8P's on IOS XE. I have checked and other 1111's on the same code and they did auto renew and I have checked and I can install the cert on these ones OK.

 

We have been working with Cisco and we can see a small amount of two way traffic between the spoke and CA, but we can see the cert is not being transferred.

But for one site I need to get them up asap as they relie on DMVPN. The other sites do not luckily.

 

So apart from the above I have been trying to manually install the cert with cut and paste. Below is how it should look on a working router.

But I only seem to be able to cut and paste the CA or the Generall purpose becuase they have the same name.

 

Does anyone know how to do both at the same time ? The bottom is a redatcted copy of the cert export on a working router, I can only seem to cut and paste one or the other

 

Certificate

  Status: Available

  Certificate Serial Number (hex): 050A

  Certificate Usage: General Purpose

  Issuer:

    cn=xxxxxxxx

  Subject:

    Name: yyyyyyyyyyy.bbbbb.com

    Serial Number: FCZ2323C09C

    serialNumber=FCZ2323C09C+hostname=yyyyyyyyyy.bbbbb.com

  Validity Date:

    start date: 20:17:20 UTC Jun 19 2022

    end   date: 16:17:53 UTC Aug 6 2024

    renew date: 21:53:46 UTC Mar 3 2024

  Associated Trustpoints: xxxxxxxx

  Storage: nvram:xxxxxxx#50A.cer

 

CA Certificate

  Status: Available

  Certificate Serial Number (hex): 049B

  Certificate Usage: Signature

  Issuer:

    cn=xxxxx

  Subject:

    cn=xxxxx

  Validity Date:

    start date: 20:17:20 UTC Jun 19 2022

    end   date: 20:17:20 UTC Jan 9 2026

  Associated Trustpoints: xxxxxx

  Storage: nvram:xxxxx#49BCA.cer

 

 

 

 

% CA certificate:

-----BEGIN CERTIFICATE-----

bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

-----END CERTIFICATE-----

 

% General Purpose Certificate:

-----BEGIN CERTIFICATE-----

bbbbbbbbbbbbbbbbbbbbbbbbbbb

-----END CERTIFICATE-----

 

 

Labels:
2 Replies 2

Rob Ingram
VIP
VIP

‎06-21-2022 02:45 AM

@Richard Tapp to import the CA certificate you use "crypto pki authenticate <Trustpointname>" and to generate the CSR you use "crypto pki enroll <trustpointname>" once the certificate is signed by the CA, you use "crypto import certificate"

 

Example:

https://integratingit.wordpress.com/2017/08/26/cisco-ios-certificate-enrollment-via-scep/

 

0 Helpful

Richard Tapp
Level 1
Level 1
In response to Rob Ingram

‎06-21-2022 02:55 AM

Rob

Thanks, I will try that in a minute if needed. Cisco have just suggested something

0 Helpful
Customers Also Viewed These Support Documents