Thanks for answer, Marcin.

Output show crypto pki time:

Router#show crypto pki time

PKI Timers

|     4:13:22.928 

  |     4:13:22.928  SHADOW CAROOT

  |    13:09:46.648  CRL Unable to display CDP

  |313d17:31:32.936  SHADOW SubCa

"CRL Unable to display CDP" is it ok or not?

Marcin, my router can renew certificate only after reloading. My goal is to do it wihout reloading.

We've had a few similar problems in the past, e.g.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuh71381 (this one is quite the opposite)

Your CA and subCA certs are going to be refereshes but not the identity.

CRL timer, might be due to malformed/unexpected CDP URL.

The problem (with renew timers) typically comes down to calculating lifetime, and it highly dependent on your certs. Open up a TAC case, let's have a look deeper. 

Unfortunatelly, I haven't got any contract number to open TAC case. I tried to enroll certificate from CA manually  and there was following in debug crypto pki Message and Transaction:

CRYPTO-PKI: Server returned capabilities: 4

Do you know what does it mean?

That debug is indicating amount of CA capabilities returened:

http://tools.ietf.org/html/draft-nourse-scep-23#page-40

M.

Marcin, if there is only this message  from debug output and RootCA shows no logs, how to troubleshoot this problem? Mb any additional debug command will help me?

debug cry pki m 
debug crypto pki t
debug crypto pki A 

are the typical minimums.

Remove the trustpoint carrying the identity cert, and revoke the certs.

Authenticate (first!) and enroll the trustpoint, watch the debugs.

If I do it, everything works fine.The problem appears when I try to test auto-enrollment.

1) In trustpoint configuration I enter command auto-enroll 15 regenerate, after that in console I see the following:

CRYPTO_PKI: Setting renewal timers

But where can I find these new timers?

2) Can I reenroll certificate before this lifetime will expire? I have valid certificate and I tried to renew it with command

crypto pki enroll RootCA

but nothing happened, is it normal or not?

1) those should be the crypto pki timers I indicated before.

check

http://www.cisco.com/en/US/tech/tk1132/technologies_tech_note09186a0080c0debe.shtml

There's a section there using auto-enrollment.

2) AFAIR you can only rollover the CA cert during normal opration.

BTW before you go further check the basics - time. Make sure you have good time set and you're updating calendar.

Mind that I do not know your PKI, there's tons of questions and factors.

I don't particually see a reason do enroll to your rootCA unless you're planning to have this router acting as subCA, which is not the case.

I think you meant to chain those trustpoints and not enroll root? Unless "RootCA" is just a name?

You see what I mean? :-)

1) Yes, I've read this guide, but there is a description of Cisco IOS CA Server but I have Win 2008 R2 SP1 as RootCA.

2) Yes, my time is sinchronized between Router and RootCA, on router I enter command clock calendar-valid.

I think basics check is ok, cause I can enroll certificate for the first time.

This staging. I have only 1 RootCA and 2 Cisco Routers (3825 and 2911). No SubCa. Yes RootCA is the name of trustpoint.

In debug I see new message while trying manually to reenrol certificate (crypto pki enroll RootCA):

CRYPTO_PKI: Begin shadow operation - skip current enrollment

PKI: Shadow state for MCSM1ROOT now NOSTATE

CRYPTO_PKI: Capabilites already obtained 80000004

PKI: Shadow state for MCSM1ROOT now NOT_SUPPORTED

CRYPTO_PKI: Setting renewal timers

PKI:get_cert MCSM1ROOT 0x10 (expired=0):

PKI:get_cert MCSM1ROOT 0x4 (expired=0):

Do you know what does it mean?

was this address yet ?

was this addressed yet ?