08-02-2007 09:05 AM - edited 03-09-2019 06:31 PM
I've been really struggling with the pc certificate request/enrollment trying various versions of Cisco VPN CLient 4.6,4.8,5.0. I've tried every combination of scep and/or file binary/file base 64 without any promise of avoiding errors all leading me to believe a bad certificate was created.
I'm using Cisco's IOS 12.4(13b) as CA server and have tried to connect to both RA and CA.
Common enrollment error at router IOS:
--------------------------------------
Aug 2 16:10:10.910: CRYPTO_CS: received an enrollment request
Aug 2 16:10:10.918: E ../cert-c/source/certobj.c(691) : Error #705h
Aug 2 16:10:10.918: CRYPTO_CS: failed to set the cert object
Aug 2 16:10:21.888: CRYPTO_CS: Granting enrollment request 15
Aug 2 16:10:21.892: CRYPTO_CS: added CDP extension
Aug 2 16:10:21.892: CRYPTO_CS: added key usage extension
Aug 2 16:10:22.809: CRYPTO_CS: serial number 0x10 written.
Aug 2 16:10:22.914: CRYPTO_CS: reqID=15 granted, fingerprint=8D150C0D95F736A76D
92EED700924315
A client enroll error is:
-------------------------
1 10:58:49.362 08/02/07 Sev=Warning/3 CERT/0xA360000C
Certificate import failed - ImportMyCertAndKey: 1797
2 10:58:49.362 08/02/07 Sev=Warning/3 CERT/0xA360000C
Certificate import failed - ImportCertFromPkcs12File fail: 1797
I've attached a file of the run-time error from the IOS which is similar to the clients run-time below, but much more imformative:
-------------------------------------------------------
1 16:28:30.598 08/01/07 Sev=Warning/3 IKE/0xE3000081
Invalid remote certificate id: ID_FQDN: ID = vpn-end.gplops.org, Certificate = [NULL]
2 16:28:30.598 08/01/07 Sev=Warning/3 IKE/0xE3000058
The peer's certificate doesn't match Phase 1 ID
3 16:28:30.618 08/01/07 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2202)
What other products are inexpensive yet dependable, because need a low cost approach to roll it out. Small shop, planned # of vpn users is less than 25.
Help...
08-08-2007 05:57 PM
In order to reolve this issue, use up to 64 characters in the CN field as the CN field is currently limited to 64 characters only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide