Preview Tool

Cisco Bug: CSCuq74176 - PKI IOS removed valid CA certificate before expiry date

Last Modified

Nov 27, 2020

Products (2)

  • Cisco 2600 Series Multiservice Platforms
  • Cisco 2600 Series Multiservice Platforms

Known Affected Releases

15.1(4)M8 15.3(3)M3

Description (partial)

While using PKI valid CA certificate might be prematurely removed.

It is happening when router certificate is not valid or is expiring.
When CA is going to expire then we do:


Even if "auto-enroll" option is not set at the same time we do:


Then we remove old but valid CA certificate and replace with new one (not valid yet).

PKI: Rolling over CA cert for CA
CRYPTO_PKI: Rollover - Expired router certificate(s) deleted from database
PKI:get_cert CA 0x100004 (expired=0) FAILED
CRYPTO_PKI: Rollover - New router certificate(s) available for use

We install CA and router certificates which are not valid yet.

I observed two conditions (all in manual enrollment) :
+ while we don't have valid router certificate we would replace the old CA certificate immediately after receiving new CA certificate
+ if we have valid router certificate we will replace it immediately when router certificate expires but old CA would still be valid.
+ if we have "auto-enroll" we have valid router certificate all the time and issue is not happening.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.