Re: PKI connection generating HASH error.

Daniel Smith · ‎12-30-2020

We are in the midst of a large deployment of an MPLS network, and a phase that will be starting soon is the connection of remote sites via IPSEC tunnels, using PKI encryption. This was working in our lab a few months ago, but some of the certificates expired. We are using an IOS router as the CA in the lab. The CA is a device; 'gahlab-tt1', the remote is 'cgr1' and the tunnel head end is 'ftw-tt1'. The tunnel is between cgr1 and ftw-tt1. I began to work with the certificates, getting new ones issued, but am stymied by the error message shown below:

Dec 30 15:36:16.905: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

Any suggestions as to where to look for the source of this error would help a ton!

MHM Cisco World · ‎12-30-2020

There are two cert.

there is ca cert. and user cert.

i think your ca cert. expired also so re auth ca cert. and try again

Mohammed al Baqari · ‎12-30-2020

Hi,

I am not sure how you are rolling out your certs, but if you have large
deployment then you should use scep enrollment to avoid errors in
certificate structure. Also, you need to make sure that the right
trustpoint is assigned to the right tunnel.

***** please remember to rate useful posts

Daniel Smith · ‎01-01-2021

I ended up removing certificates from config and deleting files in nvram. Generated a new key fir the trust point. And then requesting new certificates. All is well.