Some of you may encounter a problem when authenticating a root CA’s certificate on an MDS which goes like this:
First you make sure you have a valid domain-name set on your MDS, which is a requirement for certificates:
MDS1(config)# ip domain-name iementor.com
Next generate the crypto key pair:
MDS1(config)# crypto key generate rsa exportable modulus 512
Create the trustpoint
MDS1(config)# crypto ca trustpoint MGMT-CA
MDS1(config-trustpoint)# enrollment terminal
MDS1(config-trustpoint)# rsakeypair MDS1.iementor.com
MDS1(config-trustpoint)# exit
You should have a stand-alone root CA configured. On your root CA you need to grab the CA’s certificate in Base64 encoded text to use in the next step. Here is where you may get the error:
MDS1(config)# crypto ca authenticate MGMT-CA
input (cut & paste) CA certificate (chain) in PEM format;
end the input with a line containing only END OF INPUT :
—–BEGIN CERTIFICATE—–
MIIDYDCCAkigAwIBAgIQHuXV+nDo9qdMaPNodwwjpzANBgkqhkiG9w0BAQUFADAT
MREwDwYDVQQDEwhpZW1lbnRvcjAeFw0xMDA3MjQxNjU1NDBaFw0xNTA3MjQxNzA0
MTBaMBMxETAPBgNVBAMTCGllbWVudG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA28P8JDgKrB95KqqMejIy27GgmNPX3e1wZ1KuQLfj+OwO29C0G7bG
mP3EFA3gRvtk05LJYp2ubR+tPHpTr2XxKuN7c8QyQgPIZnWZSekR71cBjVHoVcau
3zhHR0zYIQIwr40Zz/q8G+FccCtriGbk+EtS+/KRgS2iiiyj5XnIZiW91nCPHgMq
jsW+4jxaJ0d3aRy9gJeonwnsqEatks8j0DMven946UeSWhRLfzwcnf01DjXKx5dh
HAmJDW2uxpqKTNxThvcjKluegIj073IS3w6gQiwcWodmt0rQt7jhCKNglFWSdr+G
LiSuYpwcNdcF2zjbwh6HGmh1NIQ5so1dlwIDAQABo4GvMIGsMAsGA1UdDwQEAwIB
hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRLODulwpFIMHazwYaUL3HfVC21
YzBbBgNVHR8EVDBSMFCgTqBMhiNodHRwOi8vbWdtdC9DZXJ0RW5yb2xsL2llbWVu
dG9yLmNybIYlZmlsZTovL1xcbWdtdFxDZXJ0RW5yb2xsXGllbWVudG9yLmNybDAQ
BgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAAOCAQEAH5CHgL8hE7ftAQnO
+bPd5l01ewblymP39sKsT3T4SkRBurh7U4Sl1zCd5nqn8jeRbaFvp870KE3uOWtZ
PMu9ARjKfhDQGzlPaERaOZMkrHVHRkhLg71x99YBFpAlFLQxcISqp+mFRQzo9vZP
qW68Ll9AWGKl53We02Gy2W/wRoi+8O2cc6bUs5PrrpI8Qe2hHzSPxkUTgAiln/fp
4SlA+pzfU2hyGnCmYR/oTrgYsliogd0HlzDZirGMA6rKjxSykxgmyMJ9yeB1cj3q
r2Hkzdg6LKYrZjgtVQXO2c7iNZWye4jJ3FQ0Dj0y7vNXHQGxkmghQMBM3GzcAUdQ
3Q2Jgg==
—–END CERTIFICATE—–
END OF INPUT
certificate verify failed
certificate is not yet valid
could not perform CA authentication
The most likely reason for this error is that the clocks on the two systems are not synchronized. Certificates are time based and valid for a specific period of time, so its important the clocks are in sync.
Simply make sure the CA Server’s clock is using the same NTP time source as the MDS. You will then need to go into Certificate Services on Windows and re-issue the certificate, download it once again, and paste it in:
MDS1(config)# crypto ca authenticate MGMT-CA
input (cut & paste) CA certificate (chain) in PEM format;
end the input with a line containing only END OF INPUT :
—–BEGIN CERTIFICATE—–
MIIDjTCCAnWgAwIBAgIQGNP7YFhq9J1ApFuEkLEdkzANBgkqhkiG9w0BAQUFADAT
MREwDwYDVQQDEwhpZW1lbnRvcjAeFw0xMDA3MjQxNjQ3NDRaFw0xNTA3MjQxNzA1
MTBaMBMxETAPBgNVBAMTCGllbWVudG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAyJRmthcHHUpPAoCyNMN3wRCDG5yrhWm3ZKKYIQmwEkUt6AeGBngv
7SLMs1jrsO7rvF3yU99b8aMaR99/m/7iZfQTEW16GETkupOwYg+a23+RXIOcfrZh
6lB62ZnVqErC0aOoYjZm29+6APzmCSziCoPeJgNV/VplT5kETiiB8ARmeBKMmcIP
ydThNo6MQjevAg9na5RDy3T0vX8aUzKfh8pq51JqUtecJvRCfp5N3bwcnoH4qyUa
L0gMgOGvWy52EpC27BEXCyiG6UpaMFudxDJvmPI7bV0dIm4bcUT5C+YjT4hIeifq
t3aXOaJyv4cgrPoudfs9uT+/gzJPxHbU/QIDAQABo4HcMIHZMAsGA1UdDwQEAwIB
hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQqvkFwz9GQUhuBAuye6gFPWb5c
5jBhBgNVHR8EWjBYMFagVKBShiZodHRwOi8vbWdtdC9DZXJ0RW5yb2xsL2llbWVu
dG9yKDEpLmNybIYoZmlsZTovL1xcbWdtdFxDZXJ0RW5yb2xsXGllbWVudG9yKDEp
LmNybDASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBShQeqSYRzx
ZvHmz7OqiQsBPmkv6jANBgkqhkiG9w0BAQUFAAOCAQEAK4TG5nO1WWyo/FXkR8s4
mWPcSFXybOc4b+SFD5JsLv5aXwpuZ7NlLNw9DpKG1HFfaqSlgDuCdQu2T8ATG1Um
G5ph+3WwXu0DV3GewpRVdfLtKXySeHdGSnEeg5YB5y7uSimfK4FgzReDRHQv5WMn
tk6UCDXr9bCQ10t/oxqe5o3Xgo6SzF2GToV4NjpmJFxcQIRsZfAJAFriB7JsK5Te
iVyyQOX749cKAFi3+8XlIcqXtnqNivK2Lm7AgMtxusu3nGypT7VJzLajOe5iRzuc
6KQJOE0JNZNEvhLu9Hg/HniDjUW8kZ8e1XtcsvW6gqOEclBEfHbCJvq39cZEFXmL
ZQ==
—–END CERTIFICATE—–
END OF INPUT
Fingerprint(s): MD5 Fingerprint=AA:3A:3D:28:95:99:C7:66:D4:D7:FA:7B:2C:60:C4:63Do you accept this certificate? [yes/no]:yes
MDS1(config)#
