Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
209
Views
0
Helpful
0
Replies

SCEP - Get Both IP and DNS in SAN — Undocumented Trustpoint fix

carpe06303
Level 1
Level 1

‎05-02-2025 07:35 AM

I ran into a frustrating but now-solved issue with certificate enrollment via SCEP/NDES on Cisco IOS XE 8300 router. I’m sharing this in case it helps anyone else avoid the hours I lost troubleshooting it.

The Issue: Using crypto pki trustpoint with ip-address and subject-alt-name configured, The final cert would only have the DNS in the SAN list, no IP.

The Fix (Undocumented Trick):

Configure your trustpoint with the IP, but NOT the subject-alt-name:

crypto pki trustpoint NDES_TP
enrollment url http://NDES_SERVER.lab.me/certsrv/mscep/mscep.dll
fqdn test.lab.me
subject-name CN=test.lab.me, OU=Network, O=Company, L=City, ST=State, C=US
ip-address x.x.x.x
rsakeypair HTTPSKEY
password xxxxx
auto-enroll
serial-number
revocation-check none

Before exiting trustpoint config:
Run show to see the auto-generated SAN
Run no subject-alt-name to clear the internal SAN
Run show again to verify it’s cleared
Exit trustpoint config

Enroll:
crypto pki enroll NDES_TP

Certificate Result:
X509v3 Subject Alternative Name:
DNS:test.lab.me
IP Address:x.x.x.x

Tested Environment:
Platform: Cisco C8300
IOS XE: 17.12.4
CA: Windows Server 2019 ADCS with NDES
CA Registry Setting: EnableRequestExtensionList includes 2.5.29.17

This behavior isn’t documented in the PKI config guide or SCEP documentation. Most forums say “IP in SAN isn’t supported,” but that’s not true — it works if you leave subject-alt-name out and let the router construct the SAN itself.

Hope this helps someone else avoid the same issue.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card