Actually you cannot renew an existing certificate, but you can generate a new one with the same subject and same mandatory fields.
For that you have to generate a certificate request again within a new trustpoint and not with the old one.
The issuer of the previous certificate should sign the new certificate request and should revoke the old one after you have installed the new one.
I am not sure what a VPN client checks in the certificate, but I copy the config from the old trustpoint to the new one. I would test, what happens if we choose another CN or another fqdn or keypair.
How would the VPN client react if we change something in the new certificate…but this is another story in another free time.
With the 8.4 Version I did it and documented it, I hope it will not change much after a couple of years..
Lets say we have the following trustpoint:
crypto ca trustpoint mytrustpoint enrollment terminal fqdn 3.3.3.30 subject-name CN=myfirewall.mycompany.com serial-number keypair myrsakey crl configure |
The certificate is about to expire (actually it is already expired, but the renewal was made before).
You can see in the output the validity date:
myfirewall# sh crypto ca certificates mytrustpoint
Certificate
Status: Available
Certificate Serial Number: 8222f133000000000005
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=MYCOMPANY MS ROOT CA
dc=Mycompany
dc=com
Subject Name:
cn=myfirewall.mycompany.com
CRL Distribution Points:
[1] http://myw2k3-srv/CertEnroll/MYCOMPANY%20MS%20ROOT%20CA.crl
[2] file://\\myw2k3-srv\CertEnroll\MYCOMPANY MS ROOT CA.crl
Validity Date:
start date: 22:11:14 GMT Oct 13 2010
end date: 22:21:14 GMT Oct 13 2011
Associated Trustpoints: mytrustpoint
|
To create a new certificate with the same CN and key we have to create a new trustpoint.
This can have the same name with a running number at the end. I have tested it and added a new field to the CSR.
This is in the exmaple the IP Address.
myfirewall(config)# crypto ca trustpoint mytrustpoint2 myfirewall(config-ca-trustpoint)# enrollment terminal myfirewall(config-ca-trustpoint)# fqdn 3.3.3.30 myfirewall(config-ca-trustpoint)# subject-name CN=myfirewall.mycompany.com myfirewall(config-ca-trustpoint)# serial-number myfirewall(config-ca-trustpoint)# ip-address 3.3.3.30 myfirewall(config-ca-trustpoint)# keypair myrsakey myfirewall(config-ca-trustpoint)# no client-types myfirewall(config-ca-trustpoint)# crl configure myfirewall(config-ca-trustpoint)# exit myfirewall(config)# crypto ca enroll mytrustpoint |
After the CA issued the CSR and sent it back, we can import it to the trustpoint (with the CA certificate):
myfirewall# conf t myfirewall(config)# crypto ca authenticate mytrustpoint2 Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE----- quit myfirewall(config)# crypto ca import mytrustpoint2 certificate % The fully-qualified domain name in the certificate will be: myfirewall.mycompany.com Enter the base 64 encoded certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE----- quit myfirewall(config)# |
And if we have a new certificate, we can change to the new one in the tunnel-group:
and I have updated the tunnel-group config
FROM:
myfirewall(config)# tunnel-group ms_cert ipsec-attributes myfirewall(config-tunnel-ipsec)# ikev1 trust-point mytrustpoint |
TO:
myfirewall(config)# tunnel-group ms_cert ipsec-attributes myfirewall(config-tunnel-ipsec)# ikev1 trust-point mytrustpoint2 |
That was it, but after that I would not delete the old trustpoint. Actually I have deleted it and got the following message:
myfirewall01/act/pri(config)# no crypto ca trustpoint mytrustpoint
WARNING: Removing an enrolled trustpoint will destroy all certificates received from the related Certificate Authority.Are you sure you want to do this? [yes/no]: yes
INFO: Be sure to ask the CA administrator to revoke your certificates.
|
If it is true, this will delete all certificates from the CA, the new one and the old one.
Keep in mind, “a trustpoint is a representation of a CA or identity pair” (and not a certificate as I thought earlier).
itsecworks 
Posted on April 18, 2012
0