Renew ios crypto pki server expired certificate

georgezptl · ‎05-15-2020

Hi

My cisco ios router ca server certificate is about to expire how do i renew it

thanks

Rob Ingram · ‎05-15-2020

Hi,

What enrollment method are you using SCEP or terminal (manual)?

Either way you run crypto pki enroll <TRUSTPOINT NAME>. If you are using SCEP it should automatically pull the certificate, if using terminal it will display the CSR in the terminal, at which point you copy the CSR and get it signed by the CA, before importing the signed certificate.

Refer to this example here which demostrates the commands required.

HTH

georgezptl · ‎05-15-2020

hello,

the certificate was generated on the router it self, the router acts as the CA server

crypto pki server CA-Server
database level complete
issuer-name **********************
grant none
hash sha1
lifetime certificate 730
lifetime ca-certificate 1825
auto-rollover
database url flash:/CA/

balaji.bandi · ‎05-15-2020

Still the process same, for Local CA also.

I have attached good document for reference.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

georgezptl · ‎05-15-2020

so just run command crypto pki enroll <TRUSTPOINT NAME> and thats it ?

Rob Ingram · ‎05-15-2020

Yes. The trustpoint name has the configuration, running that command will enrol and install the certificate, assuming the configuration is setup and working correctly.

georgezptl · ‎05-15-2020

Its been working for 4 years now, so I do not think there will be any issue. Must I shutdown the ca server first?

Rob Ingram · ‎05-15-2020

No, if you shutdown the CA it will not issue a certificate.