Re: SCEP CA Enrollment Failure

jbulloch · ‎08-08-2022

Good morning/afternoon,

Not sure if SCEP should go under general network security or VPN, but here goes.

I was able to get terminal enrollment functioning in our environment, but once the over head of certificate management was realized we are attempting to move to SCEP. Our server team has set up a CA which they insist should be functioning fine with SCEP.

I've generated two pairs of RSA keys, one for SCEP and the second for a self signed SSL certificate since our environment does not allow the use of IP HTTP server. I'am a bit unfamilar with pki so bare with me please.

My trust point is configured as follows, with edits for security reasons:

crypto pki trustpoint <TP Name>
enrollment retry count 100
enrollment retry period 60
enrollment mode ra
enrollment url <URL>/mscep.dll
serial-number none
ip-address none
fqdn <our FQDN>
subject-name C=x, ST=x, L=x, O=x, OU=x, CN=x
revocation-check none
rsakeypair <keypair>
auto-enroll 80 regenerate

When i navigate to the URL, i get a 404. If i go to the root of the domain i get prompted for a constant username/password loop. I don't have the credentials to test it.

I've enabled debug of crypto pki messages and transactions.

When i run "crypto pki authenticate <TP>",

i receive:

"

% Error: failed to open file.

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0"

debug then reports:

<Trustpoint>:Enrollment: IFS

Aug 8 10:55:12.920 edt: CRYPTO_PKI: (A24F3) Session started - identity not specified
Aug 8 10:55:12.921 edt: CRYPTO_PKI: Added x509 peer certificate - (1168) bytes:Incrementing refcount for context id-8611 to 1
Aug 8 10:55:12.921 edt: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 8611
Aug 8 10:55:12.921 edt: CRYPTO_PKI: (A24F3)validation path has 1 certs

Aug 8 10:55:12.921 edt: CRYPTO_PKI: Unable to locate cert record by issuername
Aug 8 10:55:12.921 edt: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain

Aug 8 10:55:12.921 edt: CRYPTO_PKI: (A24F3) Removing verify context

Aug 8 10:55:12.921 edt: CRYPTO_PKI: destroying ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 8611, ref count 1:Decrementing refcount for context id-8611 to 0
Aug 8 10:55:12.921 edt: CRYPTO_PKI: ca_req_context released
Aug 8 10:55:12.921 edt: CRYPTO_PKI: Rcvd request to end PKI session A24F3.
Aug 8 10:55:12.921 edt: CRYPTO_PKI: PKI session A24F3 has ended. Freeing all resources.

The cert of course, does not appear under 'show pki'. I have asked the server team to check the server logs and there are no failed requests in the event logs. How could i possibly verify connection to the CA server? The routing for the SVI appears to be correct.

Thank you for your assistance.

jbulloch · ‎08-10-2022

I was able to progress on this, and resolve the issue with a configuration issue on the CA (windows server) side.

Now we receive a HTTP 301, which is apparently a redirect message. Has anyone ever troubleshot this? Is this a server side issue as research may suggest?

<TP>:unlocked trustpoint <TP> refcount is 0<TP>:locked trustpoint <TP>, refcount is 1
Aug 10 10:55:38.816 edt: CRYPTO_PKI: Header length received: 287
Aug 10 10:55:38.816 edt: CRYPTO_PKI: parse content-length header. return code: (0) and content-length : (223)
Aug 10 10:55:38.816 edt: CRYPTO_PKI: Complete data arrived <TP>:unlocked trustpoint <TP>, refcount is 0
Aug 10 10:55:38.816 edt: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: <URL>
Server: Microsoft-IIS/10.0
Date: Wed, 10 Aug 2022 14:55:38 GMT
Connection: close
Content-Length: 223

Content-Type indicates we did not receive a certificate.