LANCOM Support Knowledgebase Document No. 1812.0512.1313.RHOO - V3.90

The SCEP client in the LANCOM is not automatically renewing expiring RA certificates



    Description:

    In certificate-based scenarios (VPN and WLC) where the internal SCEP client of the LANCOM router is used to distribute certificates, the SCEP client is not automatically renewing expiring RA certificates.

    As a result, certificate-based VPN connections can no longer be established, or access points managed by a WLC can no longer connect to it.




    1. Troubleshooting procedure:

    This behavior can only be remedied by updating the LCOS firmware, which must be performed on all LANCOM devices involved in the scenario.

    It is fixed as of the following firmware versions:
    • LCOS 9.24 RU10 (coming soon)




    2) In the event of an error, how do I check that my scenario is being affected by the behavior described here?

    If you experience the connection problems described above in a certificate-based VPN scenario or in a WLC scenario, use the following procedure to verify that the RA certificate has expired and was not automatically renewed by the SCEP client:

    2.1) Procedure for certificate-based VPN connections:

    2.1.1) Open an SSH session on the LANCOM device that is acting as the registration authority (RA):

    2.1.2) At the command prompt, enter the command show scep vpn raenc rasig. This outputs the current RA certificate.
      The following example shows the output in the event of an error that occurred on November 28, 2018.

      The line Not After: Nov 23 09:52:15 2018 GMT shows that the RA certificate was not updated in time before expiry.

      root@Initiator:/
      > show scep vpn raenc rasig
      No specific certificate was chosen, showing all

      Certificate for application 0
      File /flash/security/vpn/vpn_pkcs12_int was read successfully

      Certificate:
      Data:
      Version: 3 (0x2)
      Serial Number: 3397240 (0x33d678)
      Signature Algorithm: sha256WithRSAEncryption
      Issuer: CN=LANCOM CA,O=LANCOM SYSTEMS,C=DE
      Validity
      Not Before: Nov 26 09:52:15 2017 GMT
      Not After : Nov 23 09:52:15 2018 GMT


    2.1.3) In this case, update the LCOS firmware on all of your devices to one of the versions listed above to fix the error.



    2.2) Procedure in WLC scenarios:

    2.2.1) Open an SSH session on a LANCOM access point managed by the WLC.

    2.2.2) At the command prompt, enter the command show scep capwap raenc rasig. This outputs the current certificate.
      The following example shows the output in the event of an error that occurred on November 28, 2018.

      The line Not After: Nov 23 09:52:15 2018 GMT shows that the RA certificate was not updated in time before expiry.

      root@LANCOM_LN-830acn:/
      > show scep capwap raenc rasig
      File /flash/security/capwap/wtp_pkcs12_int was read successfully

      Certificate:
      Data:
      Version: 3 (0x2)
      Serial Number: 77681 (0x12f71)
      Signature Algorithm: md5WithRSAEncryption
      Issuer: CN=LANCOM CA,O=LANCOM SYSTEMS,C=DE
      Not Before: Nov 26 09:52:15 2017 GMT
      Not After : Nov 23 09:52:15 2018 GMT

    2.2.3) In this case, update the LCOS firmware on all of your devices to one of the versions listed above to fix the error.
    Catchwords: Certificate; CA; RA; SCEP; expire; renew; VPN; WLC; client
    Please review this document! This document was helpful This document was not helpful