Guest

Preview Tool

Cisco Bug: CSCul98906 - PKI HA: Shadow keypair not synced with Standby until CA cert expires

Last Modified

Nov 27, 2020

Products (111)

  • Cisco 2600 Series Multiservice Platforms
  • Cisco 819 Hardened Integrated Services Router
  • Cisco 812 CiFi Integrated Services Router
  • Cisco 886VAG 3G Integrated Services Router
  • Cisco 2951 Integrated Services Router
  • Cisco C892FSP Integrated Services Router
  • Cisco 888W Integrated Services Router
  • Cisco VG204XM Analog Voice Gateway
  • Cisco 892W Integrated Services Router
  • Cisco 1905 Serial Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.1(4)M5.9 15.2(4)M2.1 15.4(0.9)T 15.5(3)M 15.5(3)S

Description (partial)

Symptom:
At CS SHADOW CERT GENERATION time, the shadow CA certificate and keypair is generated on the Active device. However, only the shadow CA certificate is synced with the Standby. The Shadow keypair is synced when the current CA certificate expires.

Conditions:
Two routers in HSRP configured as CA servers in redundancy with auto-rollover enabled as described in

http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/configuration_guide__c07_621400.html
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.