You need worry about timezones. Validity check is done based on UTC. The validity period can't be changed rather change your clock.
With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Mon, Sep 24, 2012 at 10:13 AM, Matt Hill <[email protected]> wrote: > Hi There, > > I am doing something wrong here, saying my certificate is invalid, but > Im not sure why... > > > Sep 24 13:36:03.912: %CRYPTO-4-IKMP_NO_SA: IKE message from 8.9.50.6 > has no SA and is not an initialization offer > Sep 24 13:36:04.492: CRYPTO_PKI: New CRL Not Valid - expired (router > time not synched to CA?) > Sep 24 13:36:04.492: CRL expires: 11:03:44 EUST Sep 24 2012 > Sep 24 13:36:04.492: Router time: 14:36:04 EUST Sep 24 2012 > Sep 24 13:36:04.492: %PKI-4-CRLINSERTFAIL: Trustpoint "IOS_CA" unknown > (error 1804:E_VALIDITY : validity period start later than end) <--- > this line catched my attention > Sep 24 13:36:04.496: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received > from 8.9.50.6 is bad: certificate invalid. > Sep 24 13:36:04.496: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main > mode failed with peer at 8.9.50.6.... > > > > R5#show crypto pki certificates > Certificate > Status: Available > Certificate Serial Number: 0x4 > Certificate Usage: General Purpose > Issuer: > cn=IOS_CA > Subject: > Name: R5 > Serial Number: FHK0953F18R > hostname=R5+serialNumber=FHK0953F18R > cn=R5.cisco.com > ou=CCIE > c=PL > CRL Distribution Points: > http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL > Validity Date: > start date: 13:52:19 EUST Sep 24 2012 > end date: 13:52:19 EUST Sep 24 2013 > Associated Trustpoints: IOS_CA > Storage: nvram:IOS_CA#4.cer > > CA Certificate > Status: Available > Certificate Serial Number: 0x1 > Certificate Usage: Signature > Issuer: > cn=IOS_CA > Subject: > cn=IOS_CA > Validity Date: > start date: 05:03:42 EUST Sep 24 2012 > end date: 05:03:42 EUST Sep 24 2015 > Associated Trustpoints: IOS_CA > Storage: nvram:IOS_CA#1CA.cer > > > R5#show clock > 14:35:42.983 EUST Mon Sep 24 2012 > > and on my CA: > > R2#show clock > 14:36:24.099 EUST Mon Sep 24 2012 > > So we can see the validity period is outside what the current time is, > also the validity period is rather short (ie <1 second). I got this > to work previously, however I cant easily find anywhere where I can > change the validity period. > > Also, EUST is something I made up. The lab did not tell me what I > should call it. Funnily enough, when I used "MATTST" it was working > fine. I dont think the timezone name should make any difference > whatsoever. > > Cheers, > Matt > > CCIE #22386 > CCSI #31207 > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
