Preview Tool

Cisco Bug: CSCuq74176 - PKI IOS removed valid CA certificate before expiry date

Last Modified

Oct 14, 2019

Products (80)

  • Cisco IOS
  • Cisco C892FSP Integrated Services Router
  • Cisco 2951 Integrated Services Router
  • Cisco VG204XM Analog Voice Gateway
  • Cisco 881SRSTW Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 819 Hardened Integrated Services Router
  • Cisco C897VA Integrated Services Router
  • Cisco 812 CiFi Integrated Services Router
  • Cisco 892W Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.1(4)M8 15.3(3)M3

Description (partial)

While using PKI valid CA certificate might be prematurely removed.

It is happening when router certificate is not valid or is expiring.
When CA is going to expire then we do:


Even if "auto-enroll" option is not set at the same time we do:


Then we remove old but valid CA certificate and replace with new one (not valid yet).

PKI: Rolling over CA cert for CA
CRYPTO_PKI: Rollover - Expired router certificate(s) deleted from database
PKI:get_cert CA 0x100004 (expired=0) FAILED
CRYPTO_PKI: Rollover - New router certificate(s) available for use

We install CA and router certificates which are not valid yet.

I observed two conditions (all in manual enrollment) :
+ while we don't have valid router certificate we would replace the old CA certificate immediately after receiving new CA certificate
+ if we have valid router certificate we will replace it immediately when router certificate expires but old CA would still be valid.
+ if we have "auto-enroll" we have valid router certificate all the time and issue is not happening.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.