Monday, April 8, 2019

IOS-XE PKI certificate expiry override not working

I've been messing around with some FlexVPN and PKI stuff lately and I found that you can manually force IOS to use a trustpoint that is revoked or expired (say time skew due to tunnel being down), however I'm not able to get this functionality to work.

I'm using a NordVPN tunnel in my lab for testing and simply rolled the clock back to simulate an invalid certificate. As far as I can tell the certificate map is configured properly per Cisco's documentation, yet when I try to bring the tunnel up it still complains that the certificate is not yet valid, which is opposite from what I'm seeing in this article.

! crypto pki trustpoint NORDVPN-CA enrollment terminal pem revocation-check none match certificate NORDVPN-CERT-MAP allow expired-certificate ! crypto pki certificate map NORDVPN-CERT-MAP 10 valid-start ge Jan 01 1993 00:00:00 UTC ! Jan 2 1993 06:04:51.597 UTC: CRYPTO_PKI: (A003A) Certificate is not verified Jan 2 1993 06:04:51.598 UTC: CRYPTO_PKI: Remove session revocation service providers Jan 2 1993 06:04:51.598 UTC: CRYPTO_PKI: Remove session revocation service providers Jan 2 1993 06:04:51.598 UTC: CRYPTO_PKI: (A003A) Certificate not-yet-valid Jan 2 1993 06:04:51.598 UTC: PKI: Cert key-usage: Certificate-Signing , CRL-Signing Jan 2 1993 06:04:51.598 UTC: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 04) is not yet valid Validity period starts on 00:00:00 UTC Jan 1 2018 Jan 2 1993 06:04:51.598 UTC: CRYPTO_PKI: (A003A)chain cert was anchored to trustpoint Unknown, and chain validation result was: CRYPTO_CERT_NOT_YET_VALID Jan 2 1993 06:04:51.598 UTC: CRYPTO_PKI: destroying ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 37, ref count 1 Jan 2 1993 06:04:51.598 UTC: CRYPTO_PKI: ca_req_context released Jan 2 1993 06:04:51.598 UTC: CRYPTO_PKI: (A003A) Certificate validation failed Jan 2 1993 06:04:51.599 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain FAILED Jan 2 1993 06:04:51.599 UTC: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Failed to validate the certificate

Does anyone know if I'm missing something? I've been looking at this for a couple days, but I'm at a loss.

Here's a sanitized config.

And debugs after a no shut on Tunnel1.

Thanks!



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)