LANCOM Support Knowledgebase Document No. 1812.0512.2034.RHOO - V1.60

Automatic renewal of the device certificate with “RA-Auto-Approve” is not working


Description:

This document describes the necessary steps if the automatic renewal of the device certificate is not working.

When using the RA-Auto-Approve function in the SCEP client, authentication at the CA is performed using an available device certificate and not a challenge password. A validation error causes the renewal of the device certificate to fail.

The SCEP client is always used in WLAN controller scenarios. The SCEP client can also be used in VPN scenarios if the LANCOM router should obtain the certificates from a SCEP server.



This topic will be fixed with the following firmware versions:
  • LCOS 9.24 RU10 (coming soon)
  • LCOS 10.12 RU11 (coming soon)


Procedure:

If possible, the firmware should be updated to one of the LCOS versions listed above. The automatic renewal of the device certificate with the function RA-Auto-Approve will then function properly again.

If the device certificate is still valid, a new certificate can be obtained using the CLI command do Setup/Certificates/SCEP-Client/Update.

The certificate stored in the device can be viewed with the CLI command show SCEP timer (in this case with a WLAN controller). The certificate is valid until March 12, 2019.
    Show all timers (UTC):
    Client0 (CONTROLLER):
    Ca/Ra upgrade timer: expires 3/9/2028 15:20:48 current-time 12/6/2018 13:07:31 update-before-3-days still 291867197 sec(3/6/2028 15:20:48) is running
    Cert upgrade timer: expires 3/12/2019 15:20:58 current-time 12/6/2018 13:07:31 update-before-2-days still 8129607 sec(3/10/2019 15:20:58) is running

    Cert reminder expiration's timer: remind-before-7-days still 7697607 sec(3/5/2019 15:20:58) is running

    Cert inform expiration's timer: expires 3/12/2019 15:20:58 still 8302407 sec(3/12/2019 15:20:58) is running


Below is the output from a VPN router. The certificate is valid until March 05, 2019.
    Show all timers (UTC):
    Client2 (ROUTER-CERT):
    Ca/Ra upgrade timer: expires 3/10/2028 9:50:10 current-time 12/6/2018 14:00:49 update-before-3-days still 291930560 sec(3/7/2028 9:50:09) is running
    Cert upgrade timer: expires 9/5/2019 13:12:34 current-time 12/6/2018 14:00:49 update-before-2-days still 23411504 sec(9/3/2019 13:12:33) is running

    Cert reminder expiration's timer: remind-before-7-days still 22979504 sec(8/29/2019 13:12:33) is running

    Cert inform expiration's timer: expires 9/5/2019 13:12:34 still 23584304 sec(9/5/2019 13:12:33) is running
    Catchwords: RA-Auto-Approve; Certificate; SCEP client
    Please review this document! This document was helpful This document was not helpful