Guest

Preview Tool

Cisco Bug: CSCvs99705 - PKI CLI - no warning that rsakeypair name starting from 0 (zero) is not working for cert regenerate

Last Modified

Sep 16, 2020

Products (14)

  • Cisco IOS
  • Cisco 4221 Integrated Services Router
  • Cisco ASR 1000 Series IOS XE SD-WAN
  • Cisco 4331 Integrated Services Router
  • Cisco ASR 1002-X Router
  • Cisco 4321 Integrated Services Router
  • Cisco ASR 1001-X Router
  • Cisco 4351 Integrated Services Router
  • Cisco ISR 4000 Series IOS XE SD-WAN
  • Cisco ISR 1000 Series IOS XE SD-WAN
View all products in Bug Search Tool Login Required

Known Affected Releases

12.2(33)SXJ 15.5(3)M4c 15.9(3)M1 15.9(3.0a)M 16.9.4

Description (partial)

Symptom:
After regeneration of RSA keypair and obtaining a new certificate, the new certificate is unusable. The reason is the new rsa keypair is not renamed from "0<name>#" to "0<name>".

The processes using the certificate will fail. Example of failing ISAKMP debug:

Oct  3 2019 09:40:01.271 CEST: ISAKMP: (2252):using the TP-DMVPN trustpoint's keypair to sign
Oct  3 2019 09:40:01.271 CEST: ISAKMP-ERROR: (2252):keypair not found

"show crypto key mypubkey rsa" shows key pair for interesting trustpoint with name ending with # (0test#). Keypair with name "0test" is not present:

#show crypto key mypubkey rsa 
% Key pair was generated at: 12:01:11 CET Dec 31 2019
Key name: 0test#
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C12AF5 
  E321F108 082FBBB6 93095BFB D7D31FB8 CAA9386D 87FC9A91 ED47855D 6102ACE5 
  9057794C 12C8CB37 979384A4 1B027855 A3FA452F 72625412 4383F560 CE7E9F2A 
  D86D03BA 339A4180 4ECC2934 467D66EF ECCF1BE5 87BCF202 AFBEEC2D 843F2CB7 
  2F5AD3D8 242F1379 B1EA15E5 B406226E DDB581CB 523BF861 C94882DA B7020301 
  0001

Conditions:
Trustpoint configured with:
 auto-enroll [x] regenerate
and
 rsakeypair name starting with a "0" (zero)

example:

crypto pki trustpoint TP-DMVPN
 enrollment url http://192.0.2.0:80
 revocation-check crl
 rsakeypair 0test
 auto-enroll 90 regenerate

Another failing scenario - hostname starting from zero and default rsa keypair used in trustpoint - example:

hostname 012345
…
crypto pki trustpoint test
enrollment url http://192.0.2.0:80
auto-enroll 1 regenerate
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.