All Digital Certificates have a built in expiration time in the
certificate that is assigned by the issuing Certificate Authority (CA) server
during enrollment. When a Digital Certificate is used for VPN IPSec
authentication of ISAKMP, there is an automatic check of the communicating
device's certificate expiration time and the system time on the device (VPN
endpoint). This ensures that a certificate used is valid and has not expired.
It is also why you must set the internal clock on each VPN
endpoint (router). If Network Time Protocol (NTP) (or Simple Network Time
Protocol [SNTP]) is not possible on the VPN crypto routers, then use the manual
set clock command.
There are no specific requirements for this document.
The information in this document is based on all routers that run the
cXXXX-advsecurityk9-mz.123-5.9.T image for that respective platform .
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
For more information on document conventions, refer to the
Technical Tips Conventions.
A certificate is expired (invalid) if the system time is after the
certificate expiration time or before the issued time of the certificate.
A certificate is not expired (valid) if the system time is at or
between the certificate's issued time and the certificate's expired time.
The purpose of the Auto-enroll feature is to provide the CA
administrator with a mechanism to allow a currently enrolled router to
automatically re-enroll with its CA server on a configured percent of the
lifetime of the router certificate. This is an important feature for the
manageability / supportability of the certificates as a control mechanism. If
you used a particular CA to issue certificates to potentially thousands of
branch VPN routers with a one year lifetime (without Auto-enroll), then in
exactly one year of the issued time, all of the certificates expire and all of
the branches lose connectivity through IPSec. Alternatively, if the Auto-enroll
feature is set to "auto-enroll 70", as in this example, then in 70% of the
lifetime of the issued certificate (1 year), each router automatically issues a
new enrollment request to the Cisco IOS® CA server listed in the trustpoint.
Note: One exception to the Auto-enroll feature is that if it is set to
less than or equal to 10, then it is in minutes. If it is
greater than 10, then it is a percentage of the
There are some caveats the Cisco IOS CA administrator needs to be aware
of with Auto-enroll. The administrator needs to execute these actions for the
re-enrollment to be successful:
Manually grant or reject each re-enrollment request on the Cisco IOS
CA server (unless "grant auto" is used on the Cisco IOS CA server).
Save the new re-enrolled certificate in the re-enrolling VPN router,
If there are no unsaved configuration changes pending in the
router, then the new certificate is automatically saved to the Non-Volatile RAM
(NVRAM). The new certificate is written in the NVRAM and the previous
certificate is removed.
If there are unsaved configuration changes pending, then you must
issue the copy run start command on the enrolling
router in order to save the configuration changes and the new re-enrolled
certificate into the NVRAM. Once the copy run start
command is completed, then the new certificate is written in the NVRAM and the
previous certificate is removed.
Note: When a new re-enrollment is successful, that does
not revoke the previous certificate for that enrolled
device on the CA server. When VPN devices communicate, they send each other the
Certificate Serial number (a unique number).
Note: For example, if you are at 70% of the certificate's lifetime and
a VPN branch was to re-enroll with the CA, that CA has two certificates for
that hostname. However, the enrolling router only has one (the newer one). If
you choose to, you can administratively revoke the old certificate, or allow it
to expire normally.
Note: The newer code versions of the Auto-enroll feature have an option
to "regenerate" the key-pairs used for enrollment.
This option is "not default" to regenerate key-pairs.
If this option was chosen, be aware of Cisco bug ID CSCea90136.
This bug fix allows for the new key-pair to be put in temporary files while the
new certificate enrollment takes place over an existing IPSec tunnel (that is
using the old key-pair).
Auto-enroll has the option to generate new keys at
certification renewal time. Currently this causes a loss of service during the
time it takes to obtain a new certificate. This is because there is a new key
but no certificate that matches it.
This featurette retains the old key and certificate until the
new certificate is available.
Automatic key generation is also implemented for manual
enrollment. Keys are generated (as needed) for automatic or manual enrollment.
Version found - 12.3PIH03
Version to be fixed in - 12.3T
Version applied to - 12.3PI03
Integrated in - None
For additional information, contact