HI Everyone,
Thanks for your input. I tried the "lifetime crl time" but that does
not look like it fixes it. Here is my CA config and show output:
R2#show crypto pki server
Certificate Server IOS_CA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=IOS_CA
CA cert fingerprint: 27B1F4FA 9FA2623B 2486DB53 472CC3C3
Granting mode is: auto
Last certificate issued serial number: 0x6
CA certificate expiration timer: 05:03:42 EUST Sep 24 2015
<----------- uncool!!!
CRL NextUpdate timer: 12:19:06 EUST Oct 7 2012
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
Auto-Rollover configured, overlap period 30 days
Autorollover timer: 05:03:42 EUST Aug 25 2015
R2#show run | s crypto pki
crypto pki server IOS_CA
database archive pem password 7 070C285F4D06485744
grant auto
lifetime crl 300
cdp-url http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL
auto-rollover
crypto pki trustpoint IOS_CA
revocation-check crl
rsakeypair IOS_CA
crypto pki certificate chain IOS_CA
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
XXXXXX
268C07A3 A77CAB95 3E19268B 8E8C1D45 3044964C 05952A39 20E8288D C2ABC4
quit
R2#show clock
11:32:52.370 EUST Tue Sep 25 2012
-------------
The certificate expiration timer appears to be the problem here. As
you can see the time expired was yesterday. I cant for the life of me
find how to change this. It would be a one liner in there somewhere
I'm sure?
Cheers,
Matt
CCIE #22386
CCSI #31207
On 24 September 2012 19:43, Kingsley Charles <[email protected]> wrote:
> You need worry about timezones. Validity check is done based on UTC.
>
> The validity period can't be changed rather change your clock.
>
> With regards
> Kings
> CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security)
>
> On Mon, Sep 24, 2012 at 10:13 AM, Matt Hill <[email protected]> wrote:
>>
>> Hi There,
>>
>> I am doing something wrong here, saying my certificate is invalid, but
>> Im not sure why...
>>
>>
>> Sep 24 13:36:03.912: %CRYPTO-4-IKMP_NO_SA: IKE message from 8.9.50.6
>> has no SA and is not an initialization offer
>> Sep 24 13:36:04.492: CRYPTO_PKI: New CRL Not Valid - expired (router
>> time not synched to CA?)
>> Sep 24 13:36:04.492: CRL expires: 11:03:44 EUST Sep 24 2012
>> Sep 24 13:36:04.492: Router time: 14:36:04 EUST Sep 24 2012
>> Sep 24 13:36:04.492: %PKI-4-CRLINSERTFAIL: Trustpoint "IOS_CA" unknown
>> (error 1804:E_VALIDITY : validity period start later than end) <---
>> this line catched my attention
>> Sep 24 13:36:04.496: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received
>> from 8.9.50.6 is bad: certificate invalid.
>> Sep 24 13:36:04.496: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main
>> mode failed with peer at 8.9.50.6....
>>
>>
>>
>> R5#show crypto pki certificates
>> Certificate
>> Status: Available
>> Certificate Serial Number: 0x4
>> Certificate Usage: General Purpose
>> Issuer:
>> cn=IOS_CA
>> Subject:
>> Name: R5
>> Serial Number: FHK0953F18R
>> hostname=R5+serialNumber=FHK0953F18R
>> cn=R5.cisco.com
>> ou=CCIE
>> c=PL
>> CRL Distribution Points:
>> http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL
>> Validity Date:
>> start date: 13:52:19 EUST Sep 24 2012
>> end date: 13:52:19 EUST Sep 24 2013
>> Associated Trustpoints: IOS_CA
>> Storage: nvram:IOS_CA#4.cer
>>
>> CA Certificate
>> Status: Available
>> Certificate Serial Number: 0x1
>> Certificate Usage: Signature
>> Issuer:
>> cn=IOS_CA
>> Subject:
>> cn=IOS_CA
>> Validity Date:
>> start date: 05:03:42 EUST Sep 24 2012
>> end date: 05:03:42 EUST Sep 24 2015
>> Associated Trustpoints: IOS_CA
>> Storage: nvram:IOS_CA#1CA.cer
>>
>>
>> R5#show clock
>> 14:35:42.983 EUST Mon Sep 24 2012
>>
>> and on my CA:
>>
>> R2#show clock
>> 14:36:24.099 EUST Mon Sep 24 2012
>>
>> So we can see the validity period is outside what the current time is,
>> also the validity period is rather short (ie <1 second). I got this
>> to work previously, however I cant easily find anywhere where I can
>> change the validity period.
>>
>> Also, EUST is something I made up. The lab did not tell me what I
>> should call it. Funnily enough, when I used "MATTST" it was working
>> fine. I dont think the timezone name should make any difference
>> whatsoever.
>>
>> Cheers,
>> Matt
>>
>> CCIE #22386
>> CCSI #31207
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
