Symptom
-When configuring an IOS router as PKI Server running in "mode ra," a reload will cause a rollover RA certificate (signified by "Certificate (RA mode CS certificate, Rollover)") to become a rollover ID certificate ("Router Certificate (Rollover)")
-This will break the rollover process for the RA certificate and will render the PKI server nonoperational
-Before reload:
RA(config)#do sh cry pki cert
Certificate (RA mode CS certificate, Rollover)
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=RootCA
Subject:
Name: RA
Serial Number: 1727809637
hostname=RA+serialNumber=1727809637
cn=RA
Validity Date:
start date: 10:42:55 EDT Mar 22 2017
end date: 10:42:55 EDT Jun 30 2017
Associated Trustpoints: RA
-After reload:
RA#sh cry pki cert
Router Certificate (Rollover)
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=RootCA
Subject:
Name: RA
Serial Number: 1727809637
hostname=RA+serialNumber=1727809637
cn=RA
Validity Date:
start date: 10:42:55 EDT Mar 22 2017
end date: 10:42:55 EDT Jun 30 2017
Associated Trustpoints: RA
Storage: nvram:RootCA#3.cer
Conditions
-IOS router configured as Registration Authority (RA)
-Reload of router before rollover RA certificate is activated will trigger issue
Workaround
-Ensure RA is not reloaded until rollover RA certificate becomes active
