Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4658
Views
0
Helpful
1
Replies

Renew the IOS-CA expired certificate

slauzon
Beginner
Beginner

‎09-27-2011 08:29 AM

Hi,

I am currently renewing the IOS-CA certificate because it is expired. The new certificate is in place and I am signing new certificate request with the new IOS-CA certificate.

The only problem is when I am trying to authenticate with the VPN client, on the router I am receiving the error below.

Sep 27 10:37:10.381: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.1.25 is bad: certificate invalid

If I check the CA server.

ROUTER#sh crypto pki serv
Certificate Server IOS-CA:
    Status: disabled, HTTP Server is disabled
    State: check failed
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=IOS-CA
    CA cert fingerprint: <xxxxxxxxxxxxxxxxxx>

    Granting mode is: manual
    Last certificate issued serial number: 0x2
    CA certificate expiration timer: 10:25:33 EST Sep 26 2016
    CRL NextUpdate timer: 16:26:39 EST Sep 27 2011
    Current primary storage dir: nvram:
    Current storage dir for .cnm files: flash:
    Current storage dir for .crt files: flash:
    Database Level: Complete - all issued certs written as <serialnum>.cer

But if I check the ca certificate.

ROUTER#sh crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: <xxxx>

  Certificate Usage: General Purpose
  Issuer:
    cn=IOS-CA
  Subject:
    Name: ROUTER.domainname.com

    Serial Number: <xxxxxxxx>
    serialNumber=<xxxxxxxxx>+hostname=ROUTER.domainname.com

  Validity Date:
    start date: 15:57:36 EST Oct 4 2010
    end   date: 11:37:48 EST Oct 2 2011
  Associated Trustpoints: localtrust
  Storage: nvram:<xxx>.cer

CA Certificate
  Status: Available
  Certificate Serial Number: 0x1
  Certificate Usage: Signature
  Issuer:
    cn=IOS-CA
  Subject:
    cn=IOS-CA
  Validity Date:
    start date: 11:37:48 EST Oct 2 2008
    end   date: 11:37:48 EST Oct 2 2011
  Associated Trustpoints: IOS-CA localtrust
  Storage: nvram:<xxxx>.cer

Is there a way I can tell the router to use the new certificate?

Thanks

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-27-2011 09:27 AM

Hi,

Just define a new trustpoint and authentica+enroll them.

By default IOS and ASA use any trustpoint defined to verify received certificate.

Possible certificates are exchanged in MM3 and MM4 in CERT_REQ payload.

Now if you want to send a specific certificate back to the peer, typically no problem there but in addition you can specify "ca trust-point" under isakmp profile.

On a separate note can I suggest to use auto rollover and automatically granting rollover certs?

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents