[Pki-users] Router identity certificate auto-renewal questions

Hi, I was referred to this email list by alee on the #dogtag-pki IRC group to get some help on automatic certificate renewals. We are trying to get Dogtag 10.2.1 set up to be a certificate authority for Cisco routers’ identity certificates. For the first step I have things working to get a certificate using the caRouterCert.cfg profile with a one-time password in the flatfile.txt. For the second step I’m trying to get auto-renewal of the identity certificates working. Here is where I stand: 1. For testing, I have set the validity to 1 day so that the renewal attempt happens the next day… I don’t see a way of making it any shorter to expedite testing. 2. I have added “renewal=true” to the caRouterCert.cfg hoping that it will enable auto-renewal. I’m not sure if using the same profile would require that a “one-time” password needs to be in flatfile.txt again (which isn’t practical)? If I would need a different profile for the renewal I’m not clear on how to add and then use it for the renewal. 3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in the profile just for testing purposes. 4. I have confirmed on the router that the expiration is as expected (24hrs) and it shows a date/time that it will attempt to renew automatically (the link below discusses cert renewal from the perspective of IOS). http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrast... 5. When the renewal time comes on the router, I see lots of activity in the dogtag debug log, but am unsure of what to look for to troubleshoot it failing. Please advise on what to change and/or look for. I can also send logs and/or config files if that would help. Best Regards, -Emily