Options
ios cert auto-enroll
Hey!
I have a tunnel and certificate on the branch is set to auto-enroll {percent} regenerate
It seems to attempt the auto-enrollment for a new cert, but if i dont accept the request the tunnel shuts down, even though the old cert is still valid (have not yet expired). Is it normal behaviour and how can i avoid it?
thanks
I have a tunnel and certificate on the branch is set to auto-enroll {percent} regenerate
It seems to attempt the auto-enrollment for a new cert, but if i dont accept the request the tunnel shuts down, even though the old cert is still valid (have not yet expired). Is it normal behaviour and how can i avoid it?
thanks
Comments
-
Options
trackit
Member Posts: 224
i think i found it
Note: The newer code versions of the Auto-enroll feature have an option to "regenerate" the key-pairs used for enrollment.
*
This option is "not default" to regenerate key-pairs.
*
If this option was chosen, be aware of Cisco bug ID CSCea90136. This bug fix allows for the new key-pair to be put in temporary files while the new certificate enrollment takes place over an existing IPSec tunnel (that is using the old key-pair).
Auto-enroll has the option to generate new keys at certification renewal time. Currently this causes a loss of service during the time it takes to obtain a new certificate. This is because there is a new key but no certificate that matches it.
This featurette retains the old key and certificate until the new certificate is available.
Automatic key generation is also implemented for manual enrollment. Keys are generated (as needed) for automatic or manual enrollment.