[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring the Auto-Reenrollment Properties for Automatic Renewal of the Router Certificate from the CA

Use the auto-re-enrollment statement to configure automatic reenrollment of a specified existing router certificate before its existing expiration date. This function automatically reenrolls the router certificate. The reenrollment process requests the certificate authority (CA) to issue a new router certificate with a new expiration date. The date of auto-reenrollment is determined by the following parameters:

  • re-enroll-trigger-time—The percentage of the difference between the router certificate start date/time (when the certificate was generated) and the validity period; used to specify how long auto-reenrollment should be initiated before expiration.
  • validity-period—The number of days after issuance when the router certificate will expire, as set when a certificate is generated.

Note: By default, this feature is not enabled unless configured explicitly. This means that a certificate that does not have auto-reenrollment configured will expire on its normal expiration date.

The ca-profile statement specifies which CA will be contacted to reenroll the expiring certificate. This is the CA that issued the original router certificate.

The challenge-password statement provides the issuing CA with the router certificate’s password, as set by the administrator and normally obtained from the SCEP enrollment Web page of the CA. The password is 16 characters in length.

Optionally, the router certificate key pair can be regenerated by using the re-generate-keypair statement.

To configure the auto-re-enrollment statement and its properties, include the following statements at the [edit security pki] hierarchy level:

[edit security pki]auto-re-enrollment {certificate-id {ca-profile ca-profile-name;challenge-password password;re-enroll-trigger-time percentage;re-generate-keypair;validity-period days;}}

percentage is the percentage for the reenroll trigger time. The range can be from 1 through 99 percent.

days is the number of days for the validity period. The range can be from 1 through 4095.

Tasks to configure automatic reenrollment of certificates are:

  1. Specify the Certificate ID
  2. Specify the CA Profile
  3. Specify the Challenge Password
  4. Specify the Reenroll Trigger Time
  5. Specify the Regenerate Key Pair
  6. Specify the Validity Period

Specify the Certificate ID

Use the certificate-id statement to specify the name of the router certificate to configure for auto-reenrollment. To specify the certificate ID, include the statement at the [edit security pki auto-re-enrollment] hierarchy level:

[edit security pki auto-re-enrollment]certificate-id certificate-name;

Specify the CA Profile

Use the ca-profile statement to specify the name of the CA profile from the router certificate previously specified by certificate ID. To specify the CA profile, include the statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]ca-profile ca-profile-name;

Note: The referenced ca-profile must have an enrollment URL configured at the [edit security pki ca-profile ca-profile-name enrollment url] hierarchy level.

Specify the Challenge Password

The challenge password is used by the CA specified by the PKI certificate ID for reenrollment and revocation. To specify the challenge password, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]challenge-password password;

Specify the Reenroll Trigger Time

Use the re-enroll-trigger-time statement to set the percentage of the validity period before expiration at which reenrollment occurs. To specify the reenroll trigger time, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]re-enroll-trigger-time percentage;

percentage is the percentage for the reenroll trigger time. The range can be from 1 through 99 percent.

Specify the Regenerate Key Pair

When a regenerate key pair is configured, a new key pair is generated during reenrollment. On successful reenrollment, a new key pair and new certificate replace the old certificate and key pair. To generate a new key pair, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]re-generate-keypair;

Specify the Validity Period

The validity-period statement specifies the router certificate validity period, in number of days, that the specified router certificate remains valid. To specify the validity period, include the statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]validity-period days;

days is the number of days for the validity period. The range can be from 1 through 4095.


Published: 2010-04-26

[an error occurred while processing this directive]