Log from Cisco:

cisco1841Surgut(config)#crypto pki authenticate subca01

000129: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: pki request queued properly

000130: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=subca01 HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: sngst-ca

000131: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: locked trustpoint subca01, refcount is 1

000132: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: http connection opened

000133: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: Sending HTTP message

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

cisco1841Surgut(config)#

000134: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: Reply HTTP header:

HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: sngst-ca

000135: Aug 19 17:57:13.064 GMT: CRYPTO_PKI: unlocked trustpoint subca01, refcount is 0

000136: Aug 19 17:57:13.064 GMT: CRYPTO_PKI: locked trustpoint subca01, refcount is 1

000137: Aug 19 17:57:13.808 GMT: CRYPTO_PKI: unlocked trustpoint subca01, refcount is 0

000138: Aug 19 17:57:13.808 GMT: CRYPTO_PKI: Reply HTTP header:

HTTP/1.1 200 OK

Content-Length: 4289

Content-Type: application/x-x509-ca-ra-cert

Server: Microsoft-IIS/7.5

Date: Fri, 19 Aug 2011 11:57:13 GMT

Connection: close

Content-Type indicates we have received CA and RA certificates.

000139: Aug 19 17:57:13.808 GMT: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=subca01)

000140: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_certc_pkcs7_extract_certs_and_crls failed

000141: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_pkcs7_extract_ca_cert returned

000142: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: Unable to read CA/RA certificates.

000143: Aug 19 17:57:13.812 GMT: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.

000144: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: transaction GetCACert completed

cisco1841Surgut(config)#

This is part of the config with regards to the certificates:

Building configuration...

Current configuration : 22062 bytes

!

! Last configuration change at 14:42:48 GMT Mon Aug 22 2011 by admin

!

version 15.1

no service pad

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto pki trustpoint TP-self-signed-3129615703

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3129615703

revocation-check none

rsakeypair TP-self-signed-3129615703

!

crypto pki trustpoint S1

enrollment terminal

serial-number none

fqdn cisco1841Surgut.xxx.local

ip-address none

password

revocation-check crl

rsakeypair cisco1841Surgut.xxx.local

!

crypto pki trustpoint subca01

enrollment mode ra

enrollment url http://xxx/certsrv/mscep/mscep.dll

ip-address none

password 7 08036D685F4D203636535B210E797C0D6666003224335358720F00070C2C5B394F

revocation-check none

rsakeypair CP-RSAKey-1313751490188 2048 2048

!

!

crypto pki certificate chain test_trustpoint_config_created_for_sdm

crypto pki certificate chain TP-self-signed-3129615703

certificate self-signed 01

xxx

quit

crypto pki certificate chain S1

crypto pki certificate chain subca01

!

!

!

!

!

crypto key pubkey-chain rsa

addressed-key xxx

address xxx

key-string

xxx

quit

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

authentication rsa-encr

crypto isakmp key xxx address xxx

!

!

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA5

set isakmp-profile sdm-ike-profile-1

!

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA3

reverse-route

!

crypto dynamic-map VPN-USER-MAP 50

set transform-set VPN-TRANSFORM

match address 115

!

!

end

cisco1841Surgut#