[OSL | CCIE_Security] Lab 4A Certificate Dramas

Sun, 23 Sep 2012 21:58:49 -0700 

Hi There,

I am doing something wrong here, saying my certificate is invalid, but
Im not sure why...


Sep 24 13:36:03.912: %CRYPTO-4-IKMP_NO_SA: IKE message from 8.9.50.6
has no SA and is not an initialization offer
Sep 24 13:36:04.492: CRYPTO_PKI: New CRL Not Valid - expired (router
time not synched to CA?)
Sep 24 13:36:04.492:  CRL expires: 11:03:44 EUST Sep 24 2012
Sep 24 13:36:04.492:  Router time: 14:36:04 EUST Sep 24 2012
Sep 24 13:36:04.492: %PKI-4-CRLINSERTFAIL: Trustpoint "IOS_CA" unknown
(error 1804:E_VALIDITY : validity period start later than end)  <---
this line catched my attention
Sep 24 13:36:04.496: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received
from 8.9.50.6 is bad: certificate invalid.
Sep 24 13:36:04.496: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main
mode failed with peer at 8.9.50.6....



R5#show crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number: 0x4
  Certificate Usage: General Purpose
  Issuer:
    cn=IOS_CA
  Subject:
    Name: R5
    Serial Number: FHK0953F18R
    hostname=R5+serialNumber=FHK0953F18R
    cn=R5.cisco.com
    ou=CCIE
    c=PL
  CRL Distribution Points:
    http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL
  Validity Date:
    start date: 13:52:19 EUST Sep 24 2012
    end   date: 13:52:19 EUST Sep 24 2013
  Associated Trustpoints: IOS_CA
  Storage: nvram:IOS_CA#4.cer

CA Certificate
  Status: Available
  Certificate Serial Number: 0x1
  Certificate Usage: Signature
  Issuer:
    cn=IOS_CA
  Subject:
    cn=IOS_CA
  Validity Date:
    start date: 05:03:42 EUST Sep 24 2012
    end   date: 05:03:42 EUST Sep 24 2015
  Associated Trustpoints: IOS_CA
  Storage: nvram:IOS_CA#1CA.cer


R5#show clock
14:35:42.983 EUST Mon Sep 24 2012

and on my CA:

R2#show clock
14:36:24.099 EUST Mon Sep 24 2012

So we can see the validity period is outside what the current time is,
also the validity period is rather short (ie <1 second).  I got this
to work previously, however I cant easily find anywhere where I can
change the validity period.

Also, EUST is something I made up.  The lab did not tell me what I
should call it.  Funnily enough, when I used "MATTST" it was working
fine.  I dont think the timezone name should make any difference
whatsoever.

Cheers,
Matt

CCIE #22386
CCSI #31207
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to