Network devices may not be able to renew their certificate issued by Cisco DNA Center or perform other SCEP operations like obtaining a CRL or CA Capabilities. Any of the following example messages may be logged in the device "show logging" output: %PKI-2-CERT_ENROLL_FAIL: Certificate enrollment failed for trustpoint sdn-network-infra-iwan. %PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint sdn-network-infra-iwan failed Reason : Failed to verify PKCS7 response %PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint sdn-network-infra-iwan failed Reason : CA Capabilities fetch failure.

Conditions

This issue was observed in Cisco DNA Center after upgrading to the 2.3.3.7 release.

Workaround

When the device certificate is expired or before it expires use Cisco DNA Center to issue a new certificate. Go to "Provision / Network Devices / Inventory" select the relevant device, then navigate to "Actions > Telemetry > Update Telemetry Settings", in the pop up window make sure to select the option "Force Configuration Push" and finish the process. This will issue a new certificate for the device.