11-13-2019 02:26 AM - edited 02-21-2020 09:48 PM
Dear All
I'm trying to setup a DMVPN environment with Win based PKI infrastructure. I would use SCEP for enrollment, and I would also use auto-enroll feature with RSA key roll-over (auto-enroll regenerate). It's working properly, however when a new RSA key is generated by the router and new certificate arrives via SCEP, the router stores the new values on NVRAM only. The logs contains the following: "%PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate" Is it possible to force the router to save the new RSA key and cert details into the startup config without manual intervention? (EEM could be an option, but there might be a better way to save just this info, i.e. to avoid problems if certificate is renewed when other changes are in progress on the box).
Thank you
Solved! Go to Solution.
11-13-2019 03:18 AM
Dear All
Meanwhile I could figured out this topic in my lab. Looks like the device saves the new key and cert during re-certification, if running config was saved as startup config before. But if running config is newer than the startup config (even if somebody just entered into conf t mode, but did not change anything), the router will not save the new key and cert but generates the "%PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate" message
Thank you
11-13-2019 03:18 AM
Dear All
Meanwhile I could figured out this topic in my lab. Looks like the device saves the new key and cert during re-certification, if running config was saved as startup config before. But if running config is newer than the startup config (even if somebody just entered into conf t mode, but did not change anything), the router will not save the new key and cert but generates the "%PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate" message
Thank you
10-27-2024 04:52 AM
Can you please clarify the behavior. I see this quite a bit in syslog and usually login to the device in question and issue a 'wr mem' to be safe. Are you saying that if the router auto-enrolls, but the config in startup is different from running, then it doesn't save the key and certificate?
10-27-2024 05:30 PM
Hi,
I've ben using IOS-XE PKI infrastructure several times, with auto-renewal, and had no issues. Could you past the relevant PKI server and client configuration (remove whatever is private), as well as the log message? Certificates ar by default stored in NVRAM, if location is not manually changed.
Also, can you look at outputs of following commands "show crypto pki certificates storage", "show crypto pki certificates verbose" and see is storage location shows up on both commands?
Best,
Cristian.
10-28-2024 12:06 AM
Hi, Yes, that was the behavior what I saw in my environment (ISR4k, ASR1k, C8200, C8300). If the configs are different, the router will not save the new key without manual intervention. Once you issue we mem manually, obviously the new key will be saved too.
10-30-2024 06:25 AM
Hi,
I've asked for those outputs as there are other challenges that you might be facing. Back to the point, yes, this is expected behaviour, that PKI chain is not automatically saved to NVRAM (default location unless change within your trust point config) if there are unsaved changes (running-config different than startup-config); while probability for such event to happen is low (exactly at the time of auto-renewal, someone is making changed to the config), to still cover that risk, easiest way is to configure a Kron Job to automatically issue "write memory" at regular intervals.
Best,
Cristian.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide