GETVPN with certificates
Hi. I have this topology:
first KS: router 9
2nd KS: router 4
root CA: router 8
GMs: routers 1,2,3
I have configured R8 as root CA and created trustpoints on all of the other router and authenticate and enroll to that root CA; so I can see the relative certificates on the routers issued by R8. on R9 (my first KS) I have created an RSA key named "R9KEY" for this purpose.
during the GETVPN configuration phase, I've create another RSA key named "R9KEYEXP" on R9 for GETVPN signing purpose and use this key with the "rekey authentication mypubkey rsa R9KEYEXP" command. the problem is no any GM has been registered on the K9 and I repeatedly get this message on the R9: (R9TRUST is the name of the trustpoint that was created for initial registration of the GMs to the KS server).
Apr 4 17:50:46.634: %PKI-4-CRLINSERTFAIL: Trustpoint "R9TRUST" unknown (error 1804:E_VALIDITY : validity period start later than end)
Apr 4 17:50:46.635: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
Apr 4 17:50:46.650: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 126.96.36.199 is bad: certificate invalid