GETVPN with certificates

Hi. I have this topology:

image

 

first KS: router 9

2nd KS: router 4

root CA: router 8

GMs: routers 1,2,3

 

I have configured R8 as root CA and created trustpoints on all of the other router and authenticate and enroll to that root CA; so I can see the relative certificates on the routers issued by R8. on R9 (my first KS) I have created an RSA key named "R9KEY" for this purpose. 

during the GETVPN configuration phase, I've create another RSA key named "R9KEYEXP" on R9 for GETVPN signing purpose and use this key with the "rekey authentication mypubkey rsa R9KEYEXP" command. the problem is no any GM has been registered on the K9 and I repeatedly get this message on the R9: (R9TRUST is the name of the trustpoint that was created for initial registration of the GMs to the KS server).

 

Apr  4 17:50:46.634: %PKI-4-CRLINSERTFAIL: Trustpoint "R9TRUST" unknown (error 1804:E_VALIDITY : validity period start later than end)

Apr  4 17:50:46.635: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.

Apr  4 17:50:46.650: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 100.1.19.1 is bad: certificate invalid

Comments

  • You need NTP to fix that; basically the router fails to validate
    The certificates of GM's, because its local time is outside
    The validity window of the certificates which is embeded in
    The certificate.

    Sent from my iPhone

    On Apr 4, 2016, at 16:02, timaz <[email protected]> wrote:

    Hi. I have this topology:

     

    first KS: router 9

    2nd KS: router 4

    root CA: router 8

    GMs: routers 1,2,3

     

    I have configured R8 as root CA and created trustpoints on all of the other router and authenticate and enroll to that root CA; so I can see the relative certificates on the routers issued by R8. on R9 (my first KS) I have created an RSA key named "R9KEY" for this purpose. 

    during the GETVPN configuration phase, I've create another RSA key named "R9KEYEXP" on R9 for GETVPN signing purpose and use this key with the "rekey authentication mypubkey rsa R9KEYEXP" command. the problem is no any GM has been registered on the K9 and I repeatedly get this message on the R9: (R9TRUST is the name of the trustpoint that was created for initial registration of the GMs to the KS server).

     

    Apr  4 17:50:46.634: %PKI-4-CRLINSERTFAIL: Trustpoint "R9TRUST" unknown (error 1804:E_VALIDITY : validity period start later than end)

    Apr  4 17:50:46.635: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.

    Apr  4 17:50:46.650: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 100.1.19.1 is bad: certificate invalid




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • timaztimaz ✭✭

    Hi Cristian.

     

    I had checked the message and configured NTP after noticing that message. but after NTP synchronization is completed, for a few hours the situation was the same. but after a few hours, suddenly all of the links went up. I had maually disabled/enabled interfaces on the GMs a few times to trigger the registration process, but was unsuccessful. what could be the reason behind this delay? 

    and one thing more; as I said, because GMs did not registered themself on the KS even after NTP got synchronized, I created another trustpoint on R9 (my first KS) named R9TRUST2 for "R9KEYEXP" key (the key for GETVPN sync and signing process) and authenticate/enroll it to my CA server too. was it necessary or not?

Sign In or Register to comment.