Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2629
Views
0
Helpful
5
Replies

Router CA enroll requests failing...

maxgeezer
Level 1
Level 1

‎12-11-2003 04:00 AM - edited ‎03-09-2019 05:50 AM

Hi

Would anyone be able to suggest why a 2610 router running 12.3(1a) which I have configured in a lab environment is failing to enroll to a Windows2000 Server running Certificate Services and SCEP?

Upon issuing "crypto ca enroll securitylab" I receive the following "debug crypto pki trans" output:

Dec 11 11:49:52.312: Signed Attributes:

Dec 11 11:49:52.316: CRYPTO_PKI: status = 101: certificate request is rejected

Dec 11 11:49:52.320: CRYPTO_PKI: Fail Info=2

Dec 11 11:49:52.320: CRYPTO_PKI: All enrollment requests completed for trustpoin

t securitylab.

Dec 11 11:49:52.324: %CRYPTO-6-CERTREJECT: Certificate enrollment request was re

jected by Certificate Authority

Dec 11 11:49:52.324: CRYPTO_PKI: All enrollment requests completed for trustpoin

t securitylab

I have searched all over and I cannot find out what status 101 or Fail Info 2 means. The debug output looks like the CA is rejecting the enroll request but I cannot work out why. Certificate Services has been installed as a Standalone CA.

"crypto ca authenticate securitylab" looks to authenticate OK, I do not receive any errors.

I have also tried this with 12.3(5) and I get the same results.

Many thanks

Max...

Labels:
0 Helpful
5 Replies 5

gfullage
Cisco Employee
Cisco Employee

‎12-11-2003 03:26 PM

What's your crypto config on the router look like? Have you installed the MSCEP DLL onto the CA server?

0 Helpful

maxgeezer
Level 1
Level 1
In response to gfullage

‎12-12-2003 01:46 AM

Hi - thanks for your reply.

The crypto VPN config is as follows:

crypto ca trustpoint securitylab

enrollment mode ra

enrollment url http://172.19.1.7:80/certsrv/mscep/mscep.dll

serial-number

ip-address none

crl optional

I can confirm that I installed SCEP from cepsetup.exe and I can successfully http to the SCEP URL.

Any pointers would be appreciated as at the moment I am rather stuck.

Cheers!

Max...

0 Helpful

maxgeezer
Level 1
Level 1
In response to gfullage

‎12-16-2003 02:06 AM

Hi Glenn

Any further thoughts on this issue? Any other replies would be appreciated.

Thanks!

Max...

0 Helpful

mhavsholm
Level 1
Level 1
In response to maxgeezer

‎12-16-2003 08:39 AM

Have you tried restarting the "Worldwide Web Service" on the 2000 server. Sounds like a "known" issue in MSCEP.DLL on 2000 that goes into "deny everything" mode.

Point is, that it might as well be you CA server having problems, check eventlog, etc.

0 Helpful

maxgeezer
Level 1
Level 1
In response to mhavsholm

‎12-20-2003 12:51 AM

Hi

Thanks for this but I have already been down this route. To prove this wasn't the case I attempted to enroll against a different working CA, again using SCEP and MS Certificate Services. This also didn't work.

I think this issue probably points to something IOS related as other routers running a different IOS are fine. The problem I have is that the other working IOS isn't supported on the 2600 series I am testing with.

It would be great if someone could identify what the error and status numbers mean in the above debug.

Max...

0 Helpful
Customers Also Viewed These Support Documents