• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 921
  • Last Modified:



I want to setup a Cisco IOS router with a double role GETVPN Key Server and Certificate Authority.
The GMs can authenticate and enroll with the CA(KS) using CA's default trustpoint name (CISCO) but the CA(KS) can't establish GETVPN phase 1 with the GMs and returns the following error:

%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from <GMs IP> is bad: CA request failed!

All routers participating in GETVPN have the clocks sync with an NTP server. All timezones are set identical on all routers.

Should I use different trustpoint for GETVPN than the default one (default one is CISCO) then authenticate and enroll with it?

The default trustpoint (CISCO) can't be used to authenticate and enroll with it (in order to make KS participate in Phase 1 Authentication with GMs).

I find this double role useful because you can save a router.


  • 2
1 Solution
In such architecture, all routers should have a common trusted CA. You can use a server, or maybe you can try to enroll your router to itself, but I never tried that.
absolomxAuthor Commented:
Okies idea
absolomxAuthor Commented:
I confirm that you can enroll a router to itself.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now