You can enable the device to automatically renew certificates that was acquired by online enrollment or loaded manually. This feature saves you from having to remember to renew certificates on the device before they expire, and helps maintain valid certificates at all times.
Automatic certificate renewal is disabled by default. You can configure the device to automatically send out a request to renew a certificate before it expires. You can set the time when you want the device to send out the certificate renewal request in number of days and minutes before the expiration date. By setting different times for each certificate, you prevent the device from having to renew all certificates at the same time.
Before You Begin
For this feature to work, the device must be able to reach the SCEP server, and the certificate must be present on the device during the renewal process. Furthermore, for this feature to work, you must also ensure that the CA issuing the certificate can return the same DN (domain name). The CA must not modify the subject name and Alternate Subject Name extension in the new certificate.
You can enable and disable automatic SCEP certificate renewal for all SCEP certificates or on a per-certificate basis.
This topic covers:
To enable and configure certificate re-enrollment use the set security pki auto-re-enrollment command with the following information:
- user@host# set security pki auto-re-enrollment certificate-id sm1 ca-profile-name aaa challenge-password abc re-enroll-trigger-time-percentage 10 re-generate-keypair