Hi everybody!

I am upgrading our DMVPN infrastructure to use ikev2. Part of the project is the replacement of two old IOS CA servers issuing certificates for branch routers.

I have two ISR4k routers prepared to work as new CA servers for the DMPVN cloud. What I did this time was that I connected this new PKI infrastructure with our Microsoft root CA server by issuing the certificates for the new CA routers on the Microsoft root CA, thus making them sub-CA severs of the Microsoft root CA server.

I was able to import the signed certificate from the root CA server, the problem is, that I can't configure the sub-ca server on the routers.

If I got it right, the IOS CA server must have the same name as the trustpoint from which it is a sub-ca. When I try to configure the CA server this way I get the following error:

% Cannot choose Microsoft-CA as label for CA server.
% Trustpoint with label Microsoft-CA is authenticated to another CA.

%PARSE_RC-3-PRC_OUT_OF_RANGE_ENUM: error code had value 2

 %PARSE_RC-4-PRC_NON_COMPLIANCE: `crypto pki server Microsoft-CA'

Trustpoint configuration:

crypto pki trustpoint Microsoft-CA
 enrollment terminal
 serial-number
 fqdn SubCA1.domain
 ip-address Loopback1
 subject-name CN=SubCA1.domain, L=DC01
 revocation-check none
 rsakeypair SubCA1.domain

The root CA server stays offline and doesn't support auto-enrollment.

Is this configuration not supported or am I missing something? It seems like an obvious use case for the IOS CA to me.

Thanks,

Adrian