We faced, on several Cisco switches, this warning:
Mar 8 11:11:52.680: %PKI-4-TRUSTPOOL_EXPIRATION_WARNING: The Trustpool will expire in 20 days
Mar 8 11:11:52.680: %PKI-4-TRUSTPOOL_AUTO_UPDATE_DISABLED: Auto-trustpool update is disabled.
In Cisco IOS XE version 17.12.04, the auto-update feature for the PKI trustpool is enabled by default. This means the device will automatically download and update the trustpool bundle from Cisco's servers when necessary.
How Auto-Update
Works
When the PKI trustpool is due
for an update—due to reasons like certificate expiration, reissuance, or the
addition of new trusted certificates—the system will:Cisco
- Attempt to download the updated
trustpool bundle from the configured URL.
- If the download is successful, the
trustpool is updated.
- If the download fails, the system will
retry at increasing intervals: 20 days, 15 days, 10 days, 5 days, 4 days,
3 days, 2 days, 1 day, and then hourly until successful.Cisco
This process ensures that the
device maintains an up-to-date set of trusted root certificates, which is
crucial for secure operations like HTTPS, VPNs, and Smart Licensing.
unfortunately, in our case, this configuration command was missing
crypto pki trustpool policy
cabundle url http://www.cisco.com/security/pki/trs/ios.p7b
revocation-check none
to manual import certificate you must launch, through config t, this command:
crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b
to avoid problems we launched this
to view certificate status this is command
show crypto pki trustpool policy
[other articles]
https://community.cisco.com/t5/switching/trustpool-expiration-on-3750-x/m-p/2423362#M286822
