Hi,
I was referred to this email list by alee on the #dogtag-pki IRC group to get some help on automatic certificate renewals. We are trying to get Dogtag 10.2.1 set up to be a certificate authority for Cisco routers’ identity certificates. For the first
step I have things working to get a certificate using the caRouterCert.cfg profile with a one-time password in the flatfile.txt. For the second step I’m trying to get auto-renewal of the identity certificates working. Here is where I stand:
1. For testing, I have set the validity to 1 day so that the renewal attempt happens the next day… I don’t see a way of making it any shorter to expedite testing.
2. I have added “renewal=true” to the caRouterCert.cfg hoping that it will enable auto-renewal. I’m not sure if using the same profile would require that a “one-time” password needs to be in flatfile.txt again (which isn’t practical)? If I would need
a different profile for the renewal I’m not clear on how to add and then use it for the renewal.
3. I have renewal.graceBefore=10 and renewal.graceAfter=1 in the profile just for testing purposes.
4. I have confirmed on the router that the expiration is as expected (24hrs) and it shows a date/time that it will attempt to renew automatically (the link below discusses cert renewal from the perspective of IOS).
5. When the renewal time comes on the router, I see lots of activity in the dogtag debug log, but am unsure of what to look for to troubleshoot it failing.
Please advise on what to change and/or look for. I can also send logs and/or config files if that would help.
Best Regards,
-Emily