ERROR: receiving Certificate Authority certificate: status = FAIL

Tiago Marques — Fri, 21 Feb 2020 13:08:48 GMT

Hi all,

we have installed new MS root CA and issuing CA (Windows Server 2008 R2 Enterprise) . When I tried to get CA certificate from some Cisco devices Cisco WS-C3560-24PS it fail.

Debug:

QL-SW3(config)#CRYPTO CA authenticate ESSAUDE

092306: Mar 27 11:47:38.075 PT: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.0.4.2

092307: Mar 27 11:47:38.075 PT: CRYPTO_PKI: locked trustpoint ESSAUDE, refcount is 1
092308: Mar 27 11:47:38.075 PT: CRYPTO_PKI: can not resolve server name/IP address
092309: Mar 27 11:47:38.075 PT: CRYPTO_PKI: Using unresolved IP Address 10.0.4.2
092310: Mar 27 11:47:38.084 PT: CRYPTO_PKI: http connection opened
092311: Mar 27 11:47:38.084 PT: CRYPTO_PKI: Sending HTTP message

092312: Mar 27 11:47:38.084 PT: CRYPTO_PKI: HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.0.4.2

092313: Mar 27 11:47:38.084 PT: CRYPTO_PKI: unlocked trustpoint ESSAUDE, refcount is 0
092314: Mar 27 11:47:38.084 PT: CRYPTO_PKI: locked trustpoint ESSAUDE, refcount is 1
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

QL-SW3(config)#
QL-SW3(config)#
QL-SW3(config)#
092315: Mar 27 11:47:53.393 PT: CRYPTO_PKI: unlocked trustpoint ESSAUDE, refcount is 0
092316: Mar 27 11:47:53.393 PT: CRYPTO_PKI: HTTP header:
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.5
Date: Thu, 27 Mar 2014 11:47:53 GMT
Connection: close
Content-Length: 1208

Content-Type indicates we did not receive a certificate.

092317: Mar 27 11:47:53.401 PT: CRYPTO_PKI: transaction GetCACert completed
QL-SW3(config)#

anybody have idea ?

regards

It looks like your CA server

mclarenh — Fri, 04 Apr 2014 19:52:47 GMT

It looks like your CA server is returning a 500 error.

You can verify this by browsing to that same URL (http://10.0.4.2/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE) using a browser. If it's all working, you should be able to download the CA certificate this way (save it to, for example, ca.crt and try opening it).

I'm not certain, because I don't know how your CA is set up, but I think the enrolment URL you have configured in your trustpoint on the switch might be wrong. Does it work on any devices, or is it just these switches having problems?

--hugh

topic It looks like your CA server in Network Security

ERROR: receiving Certificate Authority certificate: status = FAIL

It looks like your CA server