I am having an odd issue and wondered if anyone else has come across it.
Our 2 UK DC's have routers that act as CA's for our spoke sites around the globe. (about 90% of this issue are on sites in the America's)
They are set for auto renew and the CA's have different timers to ensure certificates would not run our at the same time.
Basically we notice sites are down, log in via the WAN interface and find all the Trustpoint information has been deleted from he running and start configs.
It happens without warning, we run a weekly report to look for routers without the config. For example we ran the report yesterday and it showed no sites with missing config, then this morning a site lost all the Trustpoint info.
One of the CA's
crypto pki server dmvpn-XX-RT2
issuer-name CN=xxxxxxxx
grant auto
lifetime certificate 1000
lifetime ca-certificate 1300
auto-rollover 50
database url nvram
Other CA
crypto pki server dmvpn-YY-RT2
issuer-name CN=yyyyyyyy
grant auto
lifetime certificate 900
lifetime ca-certificate 1200
auto-rollover 50
A spoke that use the above trustpoint's
crypto pki trustpoint xxxxxxxx
enrollment url http://xx.xx.xx.xx:80
revocation-check none
auto-enroll 80