I'm trying to use 'method-est' for enrollment on solution I'm working and whenever I start the process of 'crypto pki authenticate <TRUSTPOINT>' it fails. I'm not getting any sort of response whatsoever I believe because of a TLS handshake failure I'm seeing with wireshark. There is not much documentation for EST on cisco.com so I'm struggling to figure out what my next steps are. I'm using a CertAgent CA from InfoSecCorp and it has EST enabled because I can request the root cert fine when I use postman and just do a GET request.
!
crypto pki trustpoint RED-CA
enrollment profile RED-CA-PROFILE
fqdn site-ops-ie-01.domain.com
subject-name cn=site-ops-ie-01.domain.com
revocation-check crl
rsakeypair SITE-OPS-IE-01.key 4096
!
crypto pki profile enrollment RED-CA-PROFILE
method-est
authentication url https://10.1.12.29:443/.well-known/est/certagent/ca7/cacerts
enrollment url https://10.1.12.29:443/.well-known/est/certagent/ca7/simpleenroll
reenrollment url https://10.1.12.29:8443/.well-known/est/certagent/ca7/simplereenroll
enrollment credential RED-CA
source-interface Loopback0
!
Here is the debug:
Feb 4 20:17:54.724: EST_CLIENT: Process timer event
Feb 4 20:17:54.724: EST_CLIENT: Process queue event
Feb 4 20:17:54.724: EST_CLIENT: Process starting enrollment
Feb 4 20:17:54.733: EST_CLIENT: CSR created successfully
MIIEkTCCAnkCAQAwLjEsMCoGCSqGSIb3DQEJAhYdQ0FDQy1PUFMtSVItMDEuQUZQ
.... TRUNCATED .........
EHgyUwYrBm0cRoB+Hc1KHzSTdmARvGvrDnKpbn1NqiyTZkdA1k02Bei6QMiw51XK
EPjJ+ei9znCPmbF0HwYnn5mYrE1K
Feb 4 20:17:54.733: EST_CLIENT : En/Re enroll URL : https://10.1.12.29:8443/.well-known/est/certagent/ca7/simpleenroll/simpleenroll
Feb 4 20:17:54.733: EST_CLIENT: Send http request
Feb 4 20:17:54.734: EST_CLIENT: have http response 3 tid
Feb 4 20:17:54.734: status_code : 0
Feb 4 20:17:54.734: status_string :
Feb 4 20:17:54.734: content_type :
Feb 4 20:17:54.734: content_encoding :
Feb 4 20:17:54.734: content_length : 4294967295
Feb 4 20:17:54.734: Location :
Feb 4 20:17:54.734: Server :
Feb 4 20:17:54.734: EST_CLIENT: Process queue event
Feb 4 20:17:54.734: EST_CLIENT: enrollment response status = 0
Feb 4 20:17:54.734: EST http send request failed
Feb 4 20:17:54.734: EST_CLIENT: retrying in 30 seconds