Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
0
Replies

Enrollment over Secure Transport TLSv1 failure

krogers
Level 1
Level 1

‎02-02-2019 05:42 AM - edited ‎02-04-2019 11:30 AM

I'm trying to use 'method-est' for enrollment on solution I'm working and whenever I start the process of 'crypto pki authenticate <TRUSTPOINT>' it fails.  I'm not getting any sort of response whatsoever I believe because of a TLS handshake failure I'm seeing with wireshark.  There is not much documentation for EST on cisco.com so I'm struggling to figure out what my next steps are.  I'm using a CertAgent CA from InfoSecCorp and it has EST enabled because I can request the root cert fine when I use postman and just do a GET request.

 

!
crypto pki trustpoint RED-CA
 enrollment profile RED-CA-PROFILE
 fqdn site-ops-ie-01.domain.com
 subject-name cn=site-ops-ie-01.domain.com
 revocation-check crl
 rsakeypair SITE-OPS-IE-01.key 4096
!
crypto pki profile enrollment RED-CA-PROFILE
 method-est
 authentication url  https://10.1.12.29:443/.well-known/est/certagent/ca7/cacerts
 enrollment url  https://10.1.12.29:443/.well-known/est/certagent/ca7/simpleenroll
 reenrollment url  https://10.1.12.29:8443/.well-known/est/certagent/ca7/simplereenroll
 enrollment credential  RED-CA
 source-interface Loopback0
!

 Here is the debug:


Feb  4 20:17:54.724: EST_CLIENT: Process timer event
Feb  4 20:17:54.724: EST_CLIENT: Process queue event
Feb  4 20:17:54.724: EST_CLIENT: Process starting enrollment
Feb  4 20:17:54.733: EST_CLIENT: CSR created successfully
MIIEkTCCAnkCAQAwLjEsMCoGCSqGSIb3DQEJAhYdQ0FDQy1PUFMtSVItMDEuQUZQ
.... TRUNCATED .........
EHgyUwYrBm0cRoB+Hc1KHzSTdmARvGvrDnKpbn1NqiyTZkdA1k02Bei6QMiw51XK
EPjJ+ei9znCPmbF0HwYnn5mYrE1K

Feb  4 20:17:54.733:  EST_CLIENT : En/Re enroll URL : https://10.1.12.29:8443/.well-known/est/certagent/ca7/simpleenroll/simpleenroll
Feb  4 20:17:54.733: EST_CLIENT: Send http request
Feb  4 20:17:54.734: EST_CLIENT: have http response 3 tid
Feb  4 20:17:54.734: status_code      : 0

Feb  4 20:17:54.734: status_string    :

Feb  4 20:17:54.734: content_type     :

Feb  4 20:17:54.734: content_encoding :

Feb  4 20:17:54.734: content_length   : 4294967295

Feb  4 20:17:54.734: Location         :

Feb  4 20:17:54.734: Server           :

Feb  4 20:17:54.734: EST_CLIENT: Process queue event
Feb  4 20:17:54.734: EST_CLIENT: enrollment response status = 0
Feb  4 20:17:54.734: EST http send request failed
Feb  4 20:17:54.734: EST_CLIENT: retrying in 30 seconds
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents