11-01-2012 06:27 AM - edited 03-11-2019 05:17 PM
Hello,
I want to auto enroll an identity certificate on our Cisco ASA firewall based on the " Web server With Private Key" template in Windows server 2008 CA.
I did all the steps nessecary on the Windows 2008 CA to configure auto-enrollment, modified the template for auto enrollment, modified the default domain policy and the certificate services client - Auto-enrollment policy and restarted the CA service.
On the ASA firewall I configured the following and started debugging:
crypto ca trustpoint ASDM_TrustPoint4
revocation-check none
password 91777F69D5399B20
id-usage ssl-ipsec
no fqdn
email mail@mail.com
subject-name CN=asa5500
enrollment url http://2k8server.test.local:80/certsrv/mscep/mscep.dll
crypto ca authenticate ASDM_TrustPoint4 nointeractive
crypto ca enroll ASDM_TrustPoint4 noconfirm
Then I got the following message on the monitor:
%ASA-3-717002: Certificate enrollment failed for trustpoint ASDM_TrustPoint4. Reason: Denied by the CA.
,CN=CDP,CN=Publi
Why is this request denied by the CA, and why can't I see this in the "Failed Requests" in de CA itself?
In the application event log of the server this message appears:
The Network Device Enrollment Service cannot submit the certificate request (0x800706ba). The RPC server is unavailable.
Please help, I lost almost all my hair over this
Thanks a lot...
Solved! Go to Solution.
11-10-2012 04:27 AM
Issue:
The Network Device Enrollment Service cannot submit the certificate request (0x800706ba).
The RPC server is unavailable.
CAUSE:
This issue occurs because the port that the CertRequest interface uses is changed when you restart
the server on which the Enterprise CA is installed. Therefore,
the NDES role service cannot connect to the enterprise CA. Then, the SCEP request fails,
and network devices cannot enroll or renew certificates.
Solution:
Hot fix from microsoft http://support.microsoft.com/kb/2633200
OR
This happens when you create your CA on a Domain Controller and the “Domain Controllers”
security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.
11-02-2012 05:03 AM
Does the URL actually resolve to an ip address on the ASA?
The ASA needs to be able to resolve 2k8server.test.local, otherwise, i won't be able to perform the enrollment.
Can you try the enrollment url with ip address instead of fqdn and see if it works.
11-02-2012 11:06 AM
Hello,
Thanks for the reply, unfortunalty even with the ip adress in place Same result.
Strange because the CA certificate enrolled by SCEP with no problems
I would appreciate any suggestions trying to figure this out.
Thanks again...
Sent from Cisco Technical Support iPad App
11-02-2012 01:09 PM
Can you pls run debug and share the output:
debug cry ca 255
11-03-2012 02:28 PM
1- did you have the clock settings correctly on the ASA itself using NTP servers?
2- did you have the clock settings correctly on the Win2k8 server using NTP servers?
3- did you install SCEP on the Win2k8 box?
I run into the exact same issue you're experiencing when I use my router to enroll certificate using Windows 2008R2.
No such issue on Windows 2003 Server whatsoever so I know the issue is on Windows 2008, something is mis-configured on that Windows 2008 box but I don't have time to troubleshoot it right now.
Why don't you use Windows 2003 with SCEP installed and see if you see the same issue. I am willing to bet the answer is no.
Below is the certificate request from a router to Windows 2003 Certificate Authority Server:
c3845(config)#crypto ca trustpoint exchange2010
c3845(ca-trustpoint)# enrollment retry count 5
c3845(ca-trustpoint)# enrollment retry period 3
c3845(ca-trustpoint)# enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll
c3845(ca-trustpoint)# crl optional
c3845(ca-trustpoint)#
c3845(ca-trustpoint)#crypto ca authenticate exchange2010
Certificate has the following attributes:
Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11
Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
c3845(config)#crypto ca enroll exchange2010
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: c3845
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose exchange2010' commandwill show the fingerprint.
c3845(config)#
*Nov 3 22:11:18.289: CRYPTO_PKI: Certificate Request Fingerprint MD5: 11C23B80 FE62AFCC 794A516F 001DD3F8
*Nov 3 22:11:18.289: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 31BF71AE 85379C32 A9F5E001 05B7D8AF 6E30DBA2
c3845(config)#
*Nov 3 22:11:19.525: %PKI-6-CERTRET: Certificate received from Certificate Authority
c3845(config)#
c3845(config)#end
c3845#
*Nov 3 22:11:23.509: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (192.168.15.7)
c3845#show crypto pki certificate verbose exchange2010
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 241C56D7000000000010
Certificate Usage: General Purpose
Issuer:
cn=exchange2010
dc=exchange2010
dc=com
Subject:
Name: c3845
hostname=c3845
CRL Distribution Points:
ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl
Validity Date:
start date: 21:15:56 UTC Nov 3 2012
end date: 21:15:56 UTC Nov 3 2014
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 88E0522E E2C1637A AE5E7CC9 103E03C1
Fingerprint SHA1: 5678D733 1EB3C5CD 4E07248E 3DC4BC5F D32D6D50
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 72DC04D4 343115B0 2DAEFAEF 36F23D29 9D432382
X509v3 Basic Constraints:
CA: FALSE
X509v3 Subject Alternative Name:
c3845
X509v3 Authority Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550
Authority Info Access:
Associated Trustpoints: exchange2010
Key Label: c3845
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 50271D7CD98632B74ABC894310D34244
Certificate Usage: Signature
Issuer:
cn=exchange2010
dc=exchange2010
dc=com
Subject:
cn=exchange2010
dc=exchange2010
dc=com
CRL Distribution Points:
ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl
Validity Date:
start date: 01:45:14 UTC Oct 24 2012
end date: 01:54:43 UTC Oct 24 2019
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11
Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: exchange2010
c3845#
11-05-2012 10:12 AM
11-05-2012 10:14 AM
11-09-2012 03:17 AM
Ok, I think I've found the issue.
It has to do with Win2k8 CA uses 2048 bits while ASA or IOS routers usually implement either 512 or 1024 bits when you run "crypto ca key generate rsa modulus 1024" or somthing like that. Do this (I did this on my IOS router 12.2(4)24T):
crypto ca key zeroize rsa
crypto ca key generate rsa modulus 2048
After that, go ahead and authticate your certificate process. Here is the output from my router with win2k8R2 CA server:
c3845(config)#crypto ca ke
c3845(config)#crypto key zero
c3845(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
c3845(config)#yes
*Nov 9 12:00:31.791: %SSH-5-DISABLED: SSH 1.99 has been disabled
c3845(config)#crypto key ge
c3845(config)#crypto key generate rsa mo
c3845(config)#crypto key generate rsa modulus 2048
The name for the keys will be: c3845.rogerfederer.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
c3845(config)#
*Nov 9 12:00:45.719: %SSH-5-ENABLED: SSH 1.99 has been enabled
c3845(config)#crypto ca trustpoint rogerfederer
c3845(ca-trustpoint)# enrollment retry count 5
c3845(ca-trustpoint)# enrollment retry period 3
c3845(ca-trustpoint)# enrollment url http://192.168.244.28:80/certsrv/mscep/mscep.dll
c3845(ca-trustpoint)# crl optional
c3845(ca-trustpoint)# exit
c3845(config)#
c3845(config)#crypto ca authenticate rogerfederer
Certificate has the following attributes:
Fingerprint MD5: 24C7B6CA 54C54574 69229B75 F17E50B0
Fingerprint SHA1: 7AD9814C 4B3E06AA BA5134CA 26D5D9A1 3F5DF94C
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
c3845(config)#crypto ca enroll rogerfederer
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: c3845.rogerfederer.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose rogerfederer' commandwill show the fingerprint.
c3845(config)#
*Nov 9 12:01:07.579: CRYPTO_PKI: Certificate Request Fingerprint MD5: 63B71575 3F1C06C4 91EC7C95 65F72CB8
*Nov 9 12:01:07.579: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 439A5C53 415BBB29 8F7B7DA2 828833A3 96EDD9DD
c3845(config)#
*Nov 9 12:01:08.535: %PKI-6-CERTRET: Certificate received from Certificate Authority
c3845(config)#
Easy right ?
11-09-2012 11:50 AM
Hello David,
Thanks for trying so hard to help me, thank you for that!
I tried it exactly your way.
Unfortunately my problem is not solved with this, I stil got after the enrollment request was send out of the router, or firewall this message on the console:
pix515e# The certificate enrollment request was denied by CA!
In the Windows 2008 CA server in the application log I see sthis:
The Network Device Enrollment Service cannot submit the certificate request (0x800706ba). The RPC server is unavailable.
I think that te problem might be in the Windows 2008 CA server, but I just can't seem to find the problem or solution for this.
It doesnt matter if I try this from an ASA, PIX or our lab 3620 Cisco router, the error is always the same....
What is going on with the RPC server????
11-10-2012 04:27 AM
Issue:
The Network Device Enrollment Service cannot submit the certificate request (0x800706ba).
The RPC server is unavailable.
CAUSE:
This issue occurs because the port that the CertRequest interface uses is changed when you restart
the server on which the Enterprise CA is installed. Therefore,
the NDES role service cannot connect to the enterprise CA. Then, the SCEP request fails,
and network devices cannot enroll or renew certificates.
Solution:
Hot fix from microsoft http://support.microsoft.com/kb/2633200
OR
This happens when you create your CA on a Domain Controller and the “Domain Controllers”
security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.
11-11-2012 02:50 AM
Hello David,
Youre the best! I now know that I ran into a Microsoft bug, where there is no fix for jet.
The fix is for Windows server 2008 R2, while we use the normal Windows Server 2008.
Manual certificate installation was succesfull so far, I think that I wait for the planned upgrade to Server 2012 to try again.
Thanks for all your effort, I owe you a big pint of beer...
Sent from Cisco Technical Support iPad App
11-11-2012 06:16 AM
You're very welcome !!!!
Just so you know, I work with mainly Checkpoint firewalls so Cisco is not my strong area
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide