Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10619
Views
6
Helpful
11
Replies

SCEP Certificate missing required extensions

Boogis
Community Member

‎07-06-2023 12:28 PM

Hello,

I tried renewing our SCEP cert with our Windows certification authority and it will not upload due to error "SCEP Certificate missing required extensions". We dont use OPENSSL for our CA so the instructions and help article do not help... What are the required extensions??

Labels:
0 Helpful
11 Replies 11

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎07-06-2023 05:05 PM

What in Meraki land are you using SCEP for?

If you open the Certificate Template in Microsoft CA server - what are listed as the required extensions?

0 Helpful

Boogis
Community Member
In response to Philip D'Ath

‎07-10-2023 02:24 PM

I would guess for Wi-Fi security and authentication, but I am not sure why we are using that. Since it would make the Meraki portal a subordinate CA, i believe it would use the subordinate CA template. That one I have set to only require a common name. Systems manager has a new requirement that an additional file is icreated when the cert is generated. I created a template that has these extra settings but still no luck with the cert.

Where `configuration_file.ext` contains the following extension value pairs:

basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,digitalSignature
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎01-24-2024 04:24 PM

I'm having the same issue trying to update my expired SCEP certificate. I've tried using the built-in SubCA template in ADCS as well as created new templates, but I cannot seem to get the Meraki Dashboard to accept anything signed by ADCS.

Here are the basic constraints and key usage settings in my SubCA template.
image.pngimage.png

And the resulting signed certificate from the Meraki CSR:

image.png

image.png

image.png

Has anyone been able to get this working with the newer requirements and ADCS?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎01-28-2024 10:22 PM

Okay, I was able to use the following workaround in my lab environment to update the SCEP certificate.

Using OpenSSL to sign the certificate is not ideal as that certificate would live outside of the control and knowledge of ADCS.

However, since this is just a lab environment, I was able to use the following option to extract the Root CA cert and key from my ADCS in p12 format.

https://support.citrix.com/article/CTX224970/how-to-export-internal-root-ca-with-private-key-from-microsoft-certificate-authority-services-to-use-on-netscaler-swg

I was then able to use the openssl commands in this document to extract the certificate and key in PEM format and then use OpenSSL to sign the Meraki SCEP cert.

https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl/

I doubt this option would be acceptable for a customer Production environment, but it works for my lab setup.

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to Greg Gibbs

‎01-29-2024 11:03 AM

Well done. Clever work around.

0 Helpful

caug1
Community Member
In response to Greg Gibbs

‎03-12-2025 10:52 AM

Sorry to resurrect this old thread, but is there any solution to this? I'm having a similar issue signing the CSR with any type of template and uploading to meraki.

0 Helpful

Boogis
Community Member
In response to caug1

‎03-13-2025 01:19 PM

Did you try Grgibbs solution? We did not end up moving forward with it so I'm not sure if it works.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to caug1

‎03-16-2025 02:15 PM

I recently went through the process of signing the SCEP certificate for another separate lab environment and found Meraki still threw the same error when I signed it using the Intermediate CA template in ADCS.

I had to use the same workaround above with OpenSSL to get it to work.

0 Helpful

PriscillaX
Cisco Employee
Cisco Employee

‎03-13-2025 12:01 PM

Hi @Boogis , thank you for raising this question!

Were you able to resolve this issue? If so, we would love to hear more about it. If not, we recommend submitting a case on our Dashboard under ? > Get Help & Cases so we can further investigate the renewal process for SCEP certificate under your SM network.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Helpful

Boogis
Community Member
In response to PriscillaX

‎03-13-2025 01:21 PM

No. We had given up or decided it was not worth the trouble.

If we revisit the issue, I will certainly do that. Thank you!

0 Helpful

esherwoo
Cisco Employee
Cisco Employee

‎04-13-2025 06:56 AM

Since I just found this topic from the error message and managed to figure out the problem, I figured I would post the solution...

The issue with the AD subordinate cert is that it was missing pathlen:0, which is what prohibits this CA from issuing more subordinate certs. This is a cert policy construct that we can edit with a command on our Microsoft CA:


from a cmd prompt with administrative rights on your CA server run the command

> certutil -setreg Policy\CAPathLength 1

After you issue that command go and resubmit your CA request and get your cert (rename the file extension to crt) the dashboard now will accept it.

more info on

Constraints

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/constraints-what-they-are-and-how-they8217re-used/1129048

Customers Also Viewed These Support Documents