[Pki-users] Router identity certificate auto-renewal questions

[Emily Stemmerich]

Hi,

I was referred to this email list by alee on the #dogtag-pki IRC group to get some help on automatic certificate renewals.  We are trying to get Dogtag 10.2.1 set up to be a certificate authority for Cisco routers’ identity certificates.  For the first step I have things working to get a certificate using the caRouterCert.cfg profile with a one-time password in the flatfile.txt.  For the second step I’m trying to get auto-renewal of the identity certificates working.  Here is where I stand:

1.  For testing, I have set the validity to 1 day so that the renewal attempt happens the next day… I don’t see a way of making it any shorter to expedite testing.

2. I have added “renewal=true” to the caRouterCert.cfg hoping that it will enable auto-renewal.  I’m not sure if using the same profile would require that a “one-time” password needs to be in flatfile.txt again (which isn’t practical)?  If I would need a different profile for the renewal I’m not clear on how to add and then use it for the renewal.

3.  I have renewal.graceBefore=10 and renewal.graceAfter=1 in the profile just for testing purposes.

4.  I have confirmed on the router that the expiration is as expected (24hrs) and it shows a date/time that it will attempt to renew automatically (the link below discusses cert renewal from the perspective of IOS).
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116094-maintain-ios-pki.html#anc8

5.  When the renewal time comes on the router, I see lots of activity in the dogtag debug log, but am unsure of what to look for to troubleshoot it failing.

Please advise on what to change and/or look for.  I can also send logs and/or config files if that would help.

Best Regards,
-Emily


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150408/325c2a7b/attachment.htm>