cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13791
Views
0
Helpful
11
Replies
Beginner

%ASA-3-717002: Certificate enrollment failed for trustpoint ASDM_TrustPoint4. Reason: Denied by the CA.

Hello,

I want to auto enroll an identity certificate on our Cisco ASA firewall based on the " Web server With Private Key" template in Windows server 2008 CA.   

I did all the steps nessecary on the Windows 2008 CA to configure auto-enrollment, modified the template for auto enrollment, modified the default domain policy and the certificate services client - Auto-enrollment policy and restarted the CA service.

On the ASA firewall I configured the following and started debugging:

      crypto ca trustpoint ASDM_TrustPoint4

        revocation-check none

        password 91777F69D5399B20

        id-usage ssl-ipsec

        no fqdn

        email mail@mail.com

        subject-name CN=asa5500

        enrollment url http://2k8server.test.local:80/certsrv/mscep/mscep.dll

      crypto ca authenticate ASDM_TrustPoint4 nointeractive

      crypto ca enroll ASDM_TrustPoint4 noconfirm

Then I got the following message on the monitor:

%ASA-3-717002: Certificate enrollment failed for trustpoint ASDM_TrustPoint4. Reason: Denied by the CA.

,CN=CDP,CN=Publi

Why is this request denied by the CA, and why can't I see this in the "Failed Requests" in de CA itself?

In the application event log of the server this message appears:

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba).  The RPC server is unavailable.

Please help, I lost almost all my hair over this

Thanks a lot...

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

Issue:

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba).

The RPC server is unavailable.

CAUSE:

This issue occurs because the port that the CertRequest interface uses is changed when you restart

the server on which the Enterprise CA is installed. Therefore,

the NDES role service cannot connect to the enterprise CA. Then, the SCEP request fails,

and network devices cannot enroll or renew certificates.

Solution:

Hot fix from microsoft http://support.microsoft.com/kb/2633200

OR

This happens when you create your CA on a Domain Controller and the “Domain Controllers”

security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.

View solution in original post

11 REPLIES 11
Highlighted
Cisco Employee

%ASA-3-717002: Certificate enrollment failed for trustpoint ASDM

Does the URL actually resolve to an ip address on the ASA?

The ASA needs to be able to resolve 2k8server.test.local, otherwise, i won't be able to perform the enrollment.

Can you try the enrollment url with ip address instead of fqdn and see if it works.

Highlighted
Beginner

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

Hello,

Thanks for the reply, unfortunalty even with the ip adress in place Same result.
Strange because the CA certificate enrolled by SCEP with no problems

I would appreciate any suggestions trying to figure this out.

Thanks again...

Sent from Cisco Technical Support iPad App

Highlighted
Cisco Employee

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

Can you pls run debug and share the output:

debug cry ca 255

Highlighted
Enthusiast

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

1- did you have the clock settings correctly on the ASA itself using NTP servers?

2- did you have the clock settings correctly on the Win2k8 server using NTP servers?

3- did you install SCEP on the Win2k8 box?

I run into the exact same issue you're experiencing when I use my router to enroll certificate using Windows 2008R2.

No such issue on Windows 2003 Server whatsoever so I know the issue is on Windows 2008, something is mis-configured on that Windows 2008 box but I don't have time to troubleshoot it right now. 

Why don't you use Windows 2003 with SCEP installed and see if you see the same issue.  I am willing to bet the answer is no.

Below is the certificate request from a router to Windows 2003 Certificate Authority Server:

c3845(config)#crypto ca trustpoint exchange2010

c3845(ca-trustpoint)# enrollment retry count 5

c3845(ca-trustpoint)# enrollment retry period 3

c3845(ca-trustpoint)# enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll

c3845(ca-trustpoint)# crl optional

c3845(ca-trustpoint)#

c3845(ca-trustpoint)#crypto ca authenticate exchange2010

Certificate has the following attributes:

       Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11

      Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

c3845(config)#crypto ca enroll exchange2010

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: c3845

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]:

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose exchange2010' commandwill show the fingerprint.

c3845(config)#

*Nov  3 22:11:18.289: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 11C23B80 FE62AFCC 794A516F 001DD3F8

*Nov  3 22:11:18.289: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 31BF71AE 85379C32 A9F5E001 05B7D8AF 6E30DBA2

c3845(config)#

*Nov  3 22:11:19.525: %PKI-6-CERTRET: Certificate received from Certificate Authority

c3845(config)#

c3845(config)#end

c3845#

*Nov  3 22:11:23.509: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (192.168.15.7)

c3845#show crypto pki certificate verbose exchange2010

Certificate

  Status: Available

  Version: 3

  Certificate Serial Number (hex): 241C56D7000000000010

  Certificate Usage: General Purpose

  Issuer:

    cn=exchange2010

    dc=exchange2010

    dc=com

  Subject:

    Name: c3845

    hostname=c3845

  CRL Distribution Points:

    ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

    http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl

  Validity Date:

    start date: 21:15:56 UTC Nov 3 2012

    end   date: 21:15:56 UTC Nov 3 2014

  Subject Key Info:

    Public Key Algorithm: rsaEncryption

    RSA Public Key: (512 bit)

  Signature Algorithm: SHA1 with RSA Encryption

  Fingerprint MD5: 88E0522E E2C1637A AE5E7CC9 103E03C1

  Fingerprint SHA1: 5678D733 1EB3C5CD 4E07248E 3DC4BC5F D32D6D50

  X509v3 extensions:

    X509v3 Key Usage: A0000000

      Digital Signature

      Key Encipherment

    X509v3 Subject Key ID: 72DC04D4 343115B0 2DAEFAEF 36F23D29 9D432382

    X509v3 Basic Constraints:

        CA: FALSE

    X509v3 Subject Alternative Name:

        c3845

    X509v3 Authority Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550

    Authority Info Access:

  Associated Trustpoints: exchange2010

  Key Label: c3845

CA Certificate

  Status: Available

  Version: 3

  Certificate Serial Number (hex): 50271D7CD98632B74ABC894310D34244

  Certificate Usage: Signature

  Issuer:

    cn=exchange2010

    dc=exchange2010

    dc=com

  Subject:

    cn=exchange2010

    dc=exchange2010

    dc=com

  CRL Distribution Points:

    ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

    http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl

  Validity Date:

    start date: 01:45:14 UTC Oct 24 2012

    end   date: 01:54:43 UTC Oct 24 2019

  Subject Key Info:

    Public Key Algorithm: rsaEncryption

    RSA Public Key: (2048 bit)

  Signature Algorithm: SHA1 with RSA Encryption

  Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11

  Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9

  X509v3 extensions:

    X509v3 Key Usage: 86000000

      Digital Signature

      Key Cert Sign

      CRL Signature

    X509v3 Subject Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550

    X509v3 Basic Constraints:

        CA: TRUE

    Authority Info Access:

  Associated Trustpoints: exchange2010

c3845#

Highlighted
Beginner

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

The time on the ASA firewall and the w2k8 domain controller and the w2k8 CA are all properly synched bij (s)ntp.

      

I attached the debug from the request.

Highlighted
Beginner

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

The time on the ASA firewall and the w2k8 domain controller and the w2k8 CA are all properly synched bij (s)ntp.

I attached the debug from the request.

Highlighted
Enthusiast

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

Ok, I think I've found the issue. 

It has to do with Win2k8 CA uses 2048 bits while ASA or IOS routers usually implement either 512 or 1024 bits when you run "crypto ca key generate rsa modulus 1024" or somthing like that.  Do this (I did this on my IOS router 12.2(4)24T):

crypto ca key zeroize rsa

crypto ca key generate rsa modulus 2048

After that, go ahead and authticate your certificate process.  Here is the output from my router with win2k8R2 CA server:

c3845(config)#crypto ca ke

c3845(config)#crypto key zero

c3845(config)#crypto key zeroize rsa

% All RSA keys will be removed.

% All router certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

c3845(config)#yes

*Nov  9 12:00:31.791: %SSH-5-DISABLED: SSH 1.99 has been disabled

c3845(config)#crypto key ge

c3845(config)#crypto key generate rsa mo

c3845(config)#crypto key generate rsa modulus 2048

The name for the keys will be: c3845.rogerfederer.com

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

c3845(config)#

*Nov  9 12:00:45.719: %SSH-5-ENABLED: SSH 1.99 has been enabled

c3845(config)#crypto ca trustpoint rogerfederer

c3845(ca-trustpoint)# enrollment retry count 5

c3845(ca-trustpoint)# enrollment retry period 3

c3845(ca-trustpoint)# enrollment url http://192.168.244.28:80/certsrv/mscep/mscep.dll

c3845(ca-trustpoint)# crl optional

c3845(ca-trustpoint)# exit

c3845(config)#

c3845(config)#crypto ca authenticate rogerfederer

Certificate has the following attributes:

       Fingerprint MD5: 24C7B6CA 54C54574 69229B75 F17E50B0

      Fingerprint SHA1: 7AD9814C 4B3E06AA BA5134CA 26D5D9A1 3F5DF94C

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

c3845(config)#crypto ca enroll rogerfederer

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: c3845.rogerfederer.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]:

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose rogerfederer' commandwill show the fingerprint.

c3845(config)#

*Nov  9 12:01:07.579: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 63B71575 3F1C06C4 91EC7C95 65F72CB8

*Nov  9 12:01:07.579: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 439A5C53 415BBB29 8F7B7DA2 828833A3 96EDD9DD

c3845(config)#

*Nov  9 12:01:08.535: %PKI-6-CERTRET: Certificate received from Certificate Authority

c3845(config)#

Easy right ?

Highlighted
Beginner

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

Hello David,

Thanks for trying so hard to help me, thank you for that!

I tried it exactly your way.

Unfortunately my problem is not solved with this, I stil got after the enrollment request was send out of the router, or firewall this message on the console:

pix515e# The certificate enrollment request was denied by CA!

In the Windows 2008 CA server in the application log I see sthis:

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba). The RPC server is unavailable.

I think that te problem might be in the Windows 2008 CA server, but I just can't seem to find the problem or solution for this.

It doesnt matter if I try this from an ASA, PIX or our lab 3620 Cisco router, the error is always the same....

What is going on with the RPC server????

Highlighted
Enthusiast

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

Issue:

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba).

The RPC server is unavailable.

CAUSE:

This issue occurs because the port that the CertRequest interface uses is changed when you restart

the server on which the Enterprise CA is installed. Therefore,

the NDES role service cannot connect to the enterprise CA. Then, the SCEP request fails,

and network devices cannot enroll or renew certificates.

Solution:

Hot fix from microsoft http://support.microsoft.com/kb/2633200

OR

This happens when you create your CA on a Domain Controller and the “Domain Controllers”

security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.

View solution in original post

Highlighted
Beginner

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

Hello David,

Youre the best! I now know that I ran into a Microsoft bug, where there is no fix for jet.
The fix is for Windows server 2008 R2, while we use the normal Windows Server 2008.

Manual certificate installation was succesfull so far, I think that I wait for the planned upgrade to Server 2012 to try again.

Thanks for all your effort, I owe you a big pint of beer...

Sent from Cisco Technical Support iPad App

Highlighted
Enthusiast

Re: %ASA-3-717002: Certificate enrollment failed for trustpoint

You're very welcome !!!!

Just so you know, I work with mainly Checkpoint firewalls so Cisco is not my strong area