Re: Certificate retrieval issue from RootCA

Jeff Horton · ‎01-09-2024

Can't seem to retrieve certificate from our internal RootCA. The device is a Catalyst 9300.

Current configuration:

crypto pki trustpoint ICERootCA
enrollment mode ra
enrollment url //infr-svr-cert02:80/certsrv/mscep/mscep.dll
revocation-check crl
auto-enroll 90

Result from doing "crypto pki authenicate ICERootCA" :

ICERootCA:Enrollment: SCEP
078950: Jan 9 15:08:22.661: CRYPTO_PKI: Setting crypto_ca_req_in_progress to TRUE
078951: Jan 9 15:08:22.661: CRYPTO_PKI: create crypto_pki_req_msg
078952: Jan 9 15:08:22.661: CRYPTO_PKI: dequeue CRYPTO_REQ_CA_CERT message to crypto_ca_req_qICERootCA:Client sending GetCACert request: GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ICERootCA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: infr-svr-cert02

ICERootCA:locked trustpoint ICERootCA, refcount is 1
078953: Jan 9 15:08:22.668: CRYPTO_PKI: http connection opened
078954: Jan 9 15:08:22.668: CRYPTO_PKI: Sending HTTP message

078955: Jan 9 15:08:22.668: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: infr-svr-cert02

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

INFR-NET-SWC18#ICERootCA:unlocked trustpoint ICERootCA, refcount is 0
078956: Jan 9 15:08:32.668: CRYPTO_PKI: status = 65535: failed to send out the pki message
078957: Jan 9 15:08:32.668: CRYPTO_PKI: Setting crypto_ca_req_in_progress to FALSEICERootCA:CA certificate download failed.
Reason : Socket send failure(Socket is not connected).
078958: Jan 9 15:08:32.669: CRYPTO_PKI: free crypto_pki_req_msg
078959: Jan 9 15:08:32.669: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completed

Any ideas why I can get certificate?

Rob Ingram · ‎01-09-2024

@Jeff Horton try changing the enrollment url to http://infr-svr-cert02:80/certsrv/mscep/mscep.dll try authenticating again.

Does the logs on the CA indicate a problem? I believe the RSA keypair had to be 2048 or greater if using a Microsoft CA, otherwise it would error (the MS event logs would indicate this from memory).

Jeff Horton · ‎01-09-2024

Sorry I posted wrong configuration. The one I posted is the one I was troubleshooting around with. Actual configuation does include what you suggested. My apologies.

crypto pki trustpoint ICERootCA
enrollment mode ra
enrollment url http://infr-svr-cert02:80/certsrv/mscep/mscep.dll
revocation-check crl
auto-enroll 90

Rob Ingram · ‎01-09-2024

@Jeff Horton did you check the MS Cert services event logs for the errors and check the keypair as suggested?

Jeff Horton · ‎01-09-2024

I will check with server Admin to see if it has any logs to this issue.

Jeff Horton · ‎01-09-2024

I use 2048.

MHM Cisco World · ‎01-09-2024

https://community.cisco.com/t5/network-security/error-receiving-certificate-authority-certificate-status-fail/td-p/2453323

your URL you use to download the CA cert. is wrong not reachable
MHM

Rob Ingram · ‎01-09-2024

as long as that server name is resolveable then that enrollment url should work, the correct format for a Microsoft WIndows CA SCEP server is - http://<server ip/hostname>/certsrv/mscep/mscep.dll

@Jeff Horton if you could provide the Windows CA logs when the admin provides this please.

Can you also run some debugs and provide the output. debug crypto pki transactions, debug crypto pki validation and debug crypto pki scep

Jeff Horton · ‎01-09-2024

Current debug info:

ICERootCA:Enrollment: SCEP
079479: Jan 9 17:40:12.881: CRYPTO_PKI: Setting crypto_ca_req_in_progress to TRUE
079480: Jan 9 17:40:12.881: CRYPTO_PKI: create crypto_pki_req_msg
079481: Jan 9 17:40:12.881: CRYPTO_PKI: dequeue CRYPTO_REQ_CA_CERT message to crypto_ca_req_q
079482: Jan 9 17:40:12.881: CRYPTO_PKI_SCEP: Client sending GetCACert requestICERootCA:Client sending GetCACert request: GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ICERootCA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 172.17.12.15

ICERootCA:locked trustpoint ICERootCA, refcount is 1
079483: Jan 9 17:40:12.881: CRYPTO_PKI: http connection opened
079484: Jan 9 17:40:12.881: CRYPTO_PKI: Sending HTTP message

079485: Jan 9 17:40:12.881: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 172.17.12.15

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

INFR-NET-SWC18#ICERootCA:unlocked trustpoint ICERootCA, refcount is 0
079486: Jan 9 17:40:22.882: CRYPTO_PKI: status = 65535: failed to send out the pki message
079487: Jan 9 17:40:22.882: CRYPTO_PKI: Setting crypto_ca_req_in_progress to FALSEICERootCA:CA certificate download failed.
Reason : Socket send failure(Socket is not connected).
079488: Jan 9 17:40:22.883: CRYPTO_PKI: free crypto_pki_req_msg
079489: Jan 9 17:40:22.883: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completed

Jeff Horton · ‎01-09-2024

Not seeing any errors on the CA server. Seems there should be some but the Admin or myself did not see any that mention the switch requesting the cert.

MHM Cisco World · ‎01-09-2024

Try open url by any browser and check if it available or not

MHM

Rob Ingram · ‎01-09-2024

@Jeff Horton debugs on the switch would reveal some useful information.

I assume the switch can resolve the hostname infr-svr-cert02?

Is there a host based firewall on the SCEP server infr-svr-cert02 that could be restricting requests from the switch?

Jeff Horton · ‎01-09-2024

yes it can resolve it.

I can see via the debug that the communication get setup ("079483: Jan 9 17:40:12.881: CRYPTO_PKI: http connection opened"), but the retrieval of the cert seems to be the issue.

Jeff Horton · ‎01-09-2024

Previous replies have the debug results.