Certficate renewal – how was it after years?

Posted on April 18, 2012


Actually you cannot renew an existing certificate, but you can generate a new one with the same subject and same mandatory fields.
For that you have to generate a certificate request again within a new trustpoint and not with the old one.
The issuer of the previous certificate should sign the new certificate request and should revoke the old one after you have installed the new one.
I am not sure what a VPN client checks in the certificate, but I copy the config from the old trustpoint to the new one. I would test, what happens if we choose another CN or another fqdn or keypair.
How would the VPN client react if we change something in the new certificate…but this is another story in another free time.
With the 8.4 Version I did it and documented it, I hope it will not change much after a couple of years..

Lets say we have the following trustpoint:

crypto ca trustpoint mytrustpoint
enrollment terminal
subject-name CN=myfirewall.mycompany.com
keypair myrsakey
crl configure

The certificate is about to expire (actually it is already expired, but the renewal was made before).
You can see in the output the validity date:

myfirewall# sh crypto ca certificates mytrustpoint
  Status: Available
  Certificate Serial Number: 8222f133000000000005
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
  Subject Name:
  CRL Distribution Points:
    [1]  http://myw2k3-srv/CertEnroll/MYCOMPANY%20MS%20ROOT%20CA.crl
    [2]  file://\\myw2k3-srv\CertEnroll\MYCOMPANY MS ROOT CA.crl
  Validity Date:
    start date: 22:11:14 GMT Oct 13 2010
    end   date: 22:21:14 GMT Oct 13 2011
  Associated Trustpoints: mytrustpoint

To create a new certificate with the same CN and key we have to create a new trustpoint.
This can have the same name with a running number at the end. I have tested it and added a new field to the CSR.
This is in the exmaple the IP Address.

myfirewall(config)# crypto ca trustpoint mytrustpoint2
myfirewall(config-ca-trustpoint)# enrollment terminal
myfirewall(config-ca-trustpoint)# fqdn
myfirewall(config-ca-trustpoint)# subject-name CN=myfirewall.mycompany.com
myfirewall(config-ca-trustpoint)# serial-number
myfirewall(config-ca-trustpoint)# ip-address
myfirewall(config-ca-trustpoint)# keypair myrsakey
myfirewall(config-ca-trustpoint)# no client-types
myfirewall(config-ca-trustpoint)# crl configure
myfirewall(config-ca-trustpoint)# exit
myfirewall(config)# crypto ca enroll mytrustpoint

After the CA issued the CSR and sent it back, we can import it to the trustpoint (with the CA certificate):

myfirewall# conf t
myfirewall(config)# crypto ca authenticate mytrustpoint2
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself

myfirewall(config)# crypto ca import mytrustpoint2 certificate

% The fully-qualified domain name in the certificate will be: myfirewall.mycompany.com

Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself



And if we have a new certificate, we can change to the new one in the tunnel-group:

and I have updated the tunnel-group config


myfirewall(config)# tunnel-group ms_cert ipsec-attributes
myfirewall(config-tunnel-ipsec)# ikev1 trust-point mytrustpoint 


myfirewall(config)# tunnel-group ms_cert ipsec-attributes
myfirewall(config-tunnel-ipsec)# ikev1 trust-point mytrustpoint2 

That was it, but after that I would not delete the old trustpoint. Actually I have deleted it and got the following message:

myfirewall01/act/pri(config)# no crypto ca trustpoint mytrustpoint
WARNING: Removing an enrolled trustpoint will destroy all certificates received from the related Certificate Authority.Are you sure you want to do this? [yes/no]: yes
INFO: Be sure to ask the CA administrator to revoke your certificates.

If it is true, this will delete all certificates from the CA, the new one and the old one.
Keep in mind, “a trustpoint is a representation of a CA or identity pair” (and not a certificate as I thought earlier).

Posted in: ASA, Cisco, Security, VPN