Hi Matt, Here are the lifetime values that can be changed in IOS CA Server (as I'm guessing you saw):
crl - specifies how long the certificate revocation list (CRL) will be valid before needing to generate a new one...default is 5 hrs i believe ca-certificate - specifies how long the CA's certificate will be good for certificate - specifies how long the certificate will be good for on devices that obtain it from this CA (must be less than the ca-certificate value) enrollment-request - doesn't seem applicable since you're using "grant auto" Which timer are you saying you aren't sure how to configure? Is it not one of these timers? Modifying the CRL lifetime should cause the CA to resend CRL. Otherwise, you should be able to get an updated list on your non-CA devices via "crypto ca crl request" and/or by rebooting them. You can look at what CRLs you have via "show crypto ca crls", and you can look at CRL info on your certificates. You can specify "revocation-check none" within your Trustpoints, and your devices won't even check the CRL or CRL information on peer certificates, but I'm guessing you want to get to the root cause of your issue and not just "make it work". Hope this helps. I'll see if I can get some time on some devices later tonight and try to recreate what you're seeing. Jason On Mon, Sep 24, 2012 at 7:37 PM, Matt Hill <[email protected]> wrote: > HI Everyone, > > Thanks for your input. I tried the "lifetime crl time" but that does > not look like it fixes it. Here is my CA config and show output: > > R2#show crypto pki server > Certificate Server IOS_CA: > Status: enabled > State: enabled > Server's configuration is locked (enter "shut" to unlock it) > Issuer name: CN=IOS_CA > CA cert fingerprint: 27B1F4FA 9FA2623B 2486DB53 472CC3C3 > Granting mode is: auto > Last certificate issued serial number: 0x6 > CA certificate expiration timer: 05:03:42 EUST Sep 24 2015 > <----------- uncool!!! > CRL NextUpdate timer: 12:19:06 EUST Oct 7 2012 > Current primary storage dir: nvram: > Database Level: Minimum - no cert data written to storage > Auto-Rollover configured, overlap period 30 days > Autorollover timer: 05:03:42 EUST Aug 25 2015 > R2#show run | s crypto pki > crypto pki server IOS_CA > database archive pem password 7 070C285F4D06485744 > grant auto > lifetime crl 300 > cdp-url http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL > auto-rollover > crypto pki trustpoint IOS_CA > revocation-check crl > rsakeypair IOS_CA > crypto pki certificate chain IOS_CA > certificate ca 01 > 308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 > XXXXXX > 268C07A3 A77CAB95 3E19268B 8E8C1D45 3044964C 05952A39 20E8288D C2ABC4 > quit > R2#show clock > 11:32:52.370 EUST Tue Sep 25 2012 > > ------------- > > The certificate expiration timer appears to be the problem here. As > you can see the time expired was yesterday. I cant for the life of me > find how to change this. It would be a one liner in there somewhere > I'm sure? > > Cheers, > Matt > > CCIE #22386 > CCSI #31207 > > > On 24 September 2012 19:43, Kingsley Charles <[email protected]> > wrote: > > You need worry about timezones. Validity check is done based on UTC. > > > > The validity period can't be changed rather change your clock. > > > > With regards > > Kings > > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) > > > > On Mon, Sep 24, 2012 at 10:13 AM, Matt Hill <[email protected]> wrote: > >> > >> Hi There, > >> > >> I am doing something wrong here, saying my certificate is invalid, but > >> Im not sure why... > >> > >> > >> Sep 24 13:36:03.912: %CRYPTO-4-IKMP_NO_SA: IKE message from 8.9.50.6 > >> has no SA and is not an initialization offer > >> Sep 24 13:36:04.492: CRYPTO_PKI: New CRL Not Valid - expired (router > >> time not synched to CA?) > >> Sep 24 13:36:04.492: CRL expires: 11:03:44 EUST Sep 24 2012 > >> Sep 24 13:36:04.492: Router time: 14:36:04 EUST Sep 24 2012 > >> Sep 24 13:36:04.492: %PKI-4-CRLINSERTFAIL: Trustpoint "IOS_CA" unknown > >> (error 1804:E_VALIDITY : validity period start later than end) <--- > >> this line catched my attention > >> Sep 24 13:36:04.496: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received > >> from 8.9.50.6 is bad: certificate invalid. > >> Sep 24 13:36:04.496: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main > >> mode failed with peer at 8.9.50.6.... > >> > >> > >> > >> R5#show crypto pki certificates > >> Certificate > >> Status: Available > >> Certificate Serial Number: 0x4 > >> Certificate Usage: General Purpose > >> Issuer: > >> cn=IOS_CA > >> Subject: > >> Name: R5 > >> Serial Number: FHK0953F18R > >> hostname=R5+serialNumber=FHK0953F18R > >> cn=R5.cisco.com > >> ou=CCIE > >> c=PL > >> CRL Distribution Points: > >> http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL > >> Validity Date: > >> start date: 13:52:19 EUST Sep 24 2012 > >> end date: 13:52:19 EUST Sep 24 2013 > >> Associated Trustpoints: IOS_CA > >> Storage: nvram:IOS_CA#4.cer > >> > >> CA Certificate > >> Status: Available > >> Certificate Serial Number: 0x1 > >> Certificate Usage: Signature > >> Issuer: > >> cn=IOS_CA > >> Subject: > >> cn=IOS_CA > >> Validity Date: > >> start date: 05:03:42 EUST Sep 24 2012 > >> end date: 05:03:42 EUST Sep 24 2015 > >> Associated Trustpoints: IOS_CA > >> Storage: nvram:IOS_CA#1CA.cer > >> > >> > >> R5#show clock > >> 14:35:42.983 EUST Mon Sep 24 2012 > >> > >> and on my CA: > >> > >> R2#show clock > >> 14:36:24.099 EUST Mon Sep 24 2012 > >> > >> So we can see the validity period is outside what the current time is, > >> also the validity period is rather short (ie <1 second). I got this > >> to work previously, however I cant easily find anywhere where I can > >> change the validity period. > >> > >> Also, EUST is something I made up. The lab did not tell me what I > >> should call it. Funnily enough, when I used "MATTST" it was working > >> fine. I dont think the timezone name should make any difference > >> whatsoever. > >> > >> Cheers, > >> Matt > >> > >> CCIE #22386 > >> CCSI #31207 > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
