topic %ASA-3-717002: Certificate enrollment failed for trustpoint ASDM in Network Security

%ASA-3-717002: Certificate enrollment failed for trustpoint ASDM_TrustPoint4. Reason: Denied by the CA.

orsonjoon — Tue, 12 Mar 2019 00:17:17 GMT

Hello,

I want to auto enroll an identity certificate on our Cisco ASA firewall based on the " Web server With Private Key" template in Windows server 2008 CA.

I did all the steps nessecary on the Windows 2008 CA to configure auto-enrollment, modified the template for auto enrollment, modified the default domain policy and the certificate services client - Auto-enrollment policy and restarted the CA service.

On the ASA firewall I configured the following and started debugging:

crypto ca trustpoint ASDM_TrustPoint4

revocation-check none

password 91777F69D5399B20

id-usage ssl-ipsec

no fqdn

email mail@mail.com

subject-name CN=asa5500

enrollment url http://2k8server.test.local:80/certsrv/mscep/mscep.dll

crypto ca authenticate ASDM_TrustPoint4 nointeractive

crypto ca enroll ASDM_TrustPoint4 noconfirm

Then I got the following message on the monitor:

%ASA-3-717002: Certificate enrollment failed for trustpoint ASDM_TrustPoint4. Reason: Denied by the CA.

,CN=CDP,CN=Publi

Why is this request denied by the CA, and why can't I see this in the "Failed Requests" in de CA itself?

In the application event log of the server this message appears:

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba). The RPC server is unavailable.

Please help, I lost almost all my hair over this

Thanks a lot...

%ASA-3-717002: Certificate enrollment failed for trustpoint ASDM

Jennifer Halim — Fri, 02 Nov 2012 12:03:10 GMT

Does the URL actually resolve to an ip address on the ASA?

The ASA needs to be able to resolve 2k8server.test.local, otherwise, i won't be able to perform the enrollment.

Can you try the enrollment url with ip address instead of fqdn and see if it works.

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

orsonjoon — Fri, 02 Nov 2012 18:06:30 GMT

Hello,

Thanks for the reply, unfortunalty even with the ip adress in place Same result.
Strange because the CA certificate enrolled by SCEP with no problems

I would appreciate any suggestions trying to figure this out.

Thanks again...

Sent from Cisco Technical Support iPad App

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

Jennifer Halim — Fri, 02 Nov 2012 20:09:19 GMT

Can you pls run debug and share the output:

debug cry ca 255

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

david.tran — Sat, 03 Nov 2012 21:28:24 GMT

1- did you have the clock settings correctly on the ASA itself using NTP servers?

2- did you have the clock settings correctly on the Win2k8 server using NTP servers?

3- did you install SCEP on the Win2k8 box?

I run into the exact same issue you're experiencing when I use my router to enroll certificate using Windows 2008R2.

No such issue on Windows 2003 Server whatsoever so I know the issue is on Windows 2008, something is mis-configured on that Windows 2008 box but I don't have time to troubleshoot it right now.

Why don't you use Windows 2003 with SCEP installed and see if you see the same issue. I am willing to bet the answer is no.

Below is the certificate request from a router to Windows 2003 Certificate Authority Server:

c3845(config)#crypto ca trustpoint exchange2010

c3845(ca-trustpoint)# enrollment retry count 5

c3845(ca-trustpoint)# enrollment retry period 3

c3845(ca-trustpoint)# enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll

c3845(ca-trustpoint)# crl optional

c3845(ca-trustpoint)#

c3845(ca-trustpoint)#crypto ca authenticate exchange2010

Certificate has the following attributes:

Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11

Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

c3845(config)#crypto ca enroll exchange2010

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: c3845

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]:

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose exchange2010' commandwill show the fingerprint.

c3845(config)#

*Nov 3 22:11:18.289: CRYPTO_PKI: Certificate Request Fingerprint MD5: 11C23B80 FE62AFCC 794A516F 001DD3F8

*Nov 3 22:11:18.289: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 31BF71AE 85379C32 A9F5E001 05B7D8AF 6E30DBA2

c3845(config)#

*Nov 3 22:11:19.525: %PKI-6-CERTRET: Certificate received from Certificate Authority

c3845(config)#

c3845(config)#end

c3845#

*Nov 3 22:11:23.509: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (192.168.15.7)

c3845#show crypto pki certificate verbose exchange2010

Certificate

Status: Available

Version: 3

Certificate Serial Number (hex): 241C56D7000000000010

Certificate Usage: General Purpose

Issuer:

cn=exchange2010

dc=exchange2010

dc=com

Subject:

Name: c3845

hostname=c3845

CRL Distribution Points:

ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl

Validity Date:

start date: 21:15:56 UTC Nov 3 2012

end date: 21:15:56 UTC Nov 3 2014

Subject Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (512 bit)

Signature Algorithm: SHA1 with RSA Encryption

Fingerprint MD5: 88E0522E E2C1637A AE5E7CC9 103E03C1

Fingerprint SHA1: 5678D733 1EB3C5CD 4E07248E 3DC4BC5F D32D6D50

X509v3 extensions:

X509v3 Key Usage: A0000000

Digital Signature

Key Encipherment

X509v3 Subject Key ID: 72DC04D4 343115B0 2DAEFAEF 36F23D29 9D432382

X509v3 Basic Constraints:

CA: FALSE

X509v3 Subject Alternative Name:

c3845

X509v3 Authority Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550

Authority Info Access:

Associated Trustpoints: exchange2010

Key Label: c3845

CA Certificate

Status: Available

Version: 3

Certificate Serial Number (hex): 50271D7CD98632B74ABC894310D34244

Certificate Usage: Signature

Issuer:

cn=exchange2010

dc=exchange2010

dc=com

Subject:

cn=exchange2010

dc=exchange2010

dc=com

CRL Distribution Points:

ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl

Validity Date:

start date: 01:45:14 UTC Oct 24 2012

end date: 01:54:43 UTC Oct 24 2019

Subject Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (2048 bit)

Signature Algorithm: SHA1 with RSA Encryption

Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11

Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9

X509v3 extensions:

X509v3 Key Usage: 86000000

Digital Signature

Key Cert Sign

CRL Signature

X509v3 Subject Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550

X509v3 Basic Constraints:

CA: TRUE

Authority Info Access:

Associated Trustpoints: exchange2010

c3845#

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

orsonjoon — Mon, 05 Nov 2012 18:12:58 GMT

The time on the ASA firewall and the w2k8 domain controller and the w2k8 CA are all properly synched bij (s)ntp.

I attached the debug from the request.

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

orsonjoon — Mon, 05 Nov 2012 18:14:21 GMT

The time on the ASA firewall and the w2k8 domain controller and the w2k8 CA are all properly synched bij (s)ntp.

I attached the debug from the request.

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

david.tran — Fri, 09 Nov 2012 11:17:34 GMT

Ok, I think I've found the issue.

It has to do with Win2k8 CA uses 2048 bits while ASA or IOS routers usually implement either 512 or 1024 bits when you run "crypto ca key generate rsa modulus 1024" or somthing like that. Do this (I did this on my IOS router 12.2(4)24T):

crypto ca key zeroize rsa

crypto ca key generate rsa modulus 2048

After that, go ahead and authticate your certificate process. Here is the output from my router with win2k8R2 CA server:

c3845(config)#crypto ca ke

c3845(config)#crypto key zero

c3845(config)#crypto key zeroize rsa

% All RSA keys will be removed.

% All router certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

c3845(config)#yes

*Nov 9 12:00:31.791: %SSH-5-DISABLED: SSH 1.99 has been disabled

c3845(config)#crypto key ge

c3845(config)#crypto key generate rsa mo

c3845(config)#crypto key generate rsa modulus 2048

The name for the keys will be: c3845.rogerfederer.com

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

c3845(config)#

*Nov 9 12:00:45.719: %SSH-5-ENABLED: SSH 1.99 has been enabled

c3845(config)#crypto ca trustpoint rogerfederer

c3845(ca-trustpoint)# enrollment retry count 5

c3845(ca-trustpoint)# enrollment retry period 3

c3845(ca-trustpoint)# enrollment url http://192.168.244.28:80/certsrv/mscep/mscep.dll

c3845(ca-trustpoint)# crl optional

c3845(ca-trustpoint)# exit

c3845(config)#

c3845(config)#crypto ca authenticate rogerfederer

Certificate has the following attributes:

Fingerprint MD5: 24C7B6CA 54C54574 69229B75 F17E50B0

Fingerprint SHA1: 7AD9814C 4B3E06AA BA5134CA 26D5D9A1 3F5DF94C

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

c3845(config)#crypto ca enroll rogerfederer

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: c3845.rogerfederer.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]:

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose rogerfederer' commandwill show the fingerprint.

c3845(config)#

*Nov 9 12:01:07.579: CRYPTO_PKI: Certificate Request Fingerprint MD5: 63B71575 3F1C06C4 91EC7C95 65F72CB8

*Nov 9 12:01:07.579: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 439A5C53 415BBB29 8F7B7DA2 828833A3 96EDD9DD

c3845(config)#

*Nov 9 12:01:08.535: %PKI-6-CERTRET: Certificate received from Certificate Authority

c3845(config)#

Easy right ?

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

orsonjoon — Fri, 09 Nov 2012 19:50:43 GMT

Hello David,

Thanks for trying so hard to help me, thank you for that!

I tried it exactly your way.

Unfortunately my problem is not solved with this, I stil got after the enrollment request was send out of the router, or firewall this message on the console:

pix515e# The certificate enrollment request was denied by CA!

In the Windows 2008 CA server in the application log I see sthis:

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba). The RPC server is unavailable.

I think that te problem might be in the Windows 2008 CA server, but I just can't seem to find the problem or solution for this.

It doesnt matter if I try this from an ASA, PIX or our lab 3620 Cisco router, the error is always the same....

What is going on with the RPC server????

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

david.tran — Sat, 10 Nov 2012 12:27:55 GMT

Issue:

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba).

The RPC server is unavailable.

CAUSE:

This issue occurs because the port that the CertRequest interface uses is changed when you restart

the server on which the Enterprise CA is installed. Therefore,

the NDES role service cannot connect to the enterprise CA. Then, the SCEP request fails,

and network devices cannot enroll or renew certificates.

Solution:

Hot fix from microsoft http://support.microsoft.com/kb/2633200

This happens when you create your CA on a Domain Controller and the “Domain Controllers”

security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

orsonjoon — Sun, 11 Nov 2012 10:50:19 GMT

Hello David,

Youre the best! I now know that I ran into a Microsoft bug, where there is no fix for jet.
The fix is for Windows server 2008 R2, while we use the normal Windows Server 2008.

Manual certificate installation was succesfull so far, I think that I wait for the planned upgrade to Server 2012 to try again.

Thanks for all your effort, I owe you a big pint of beer...

Sent from Cisco Technical Support iPad App

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

david.tran — Sun, 11 Nov 2012 14:16:59 GMT

You're very welcome !!!!

Just so you know, I work with mainly Checkpoint firewalls so Cisco is not my strong area