09-24-2019 02:17 PM
Hello All,
I am experiencing an issue when trying to enroll a juniper certificate with a Cisco CA. I get the following from debug. Has anyone seen this and how did you resolve it? Thanks!
CRYPTO_CS: received a SCEP GetCACert request
CRYPTO_CS: CA certificate sent
CRYPTO_CS: received a SCEP request, 2263 bytes
CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_15
CRYPTO_CS: failed to open signed data
CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_15
CRYPTO_CS: failed to read SCEP request
Solved! Go to Solution.
09-26-2019 12:04 PM
Hello again,
I did some more research and it appears that Juniper only supports certificates from Entrust, Versign, and Microsoft. This may be why the Cisco CA was unable to open the CSR from the Juniper even though the Juniper was able to successfully obtain the CA certificate via SCEP. I do not think the juniper was using the CA's public key for the CSR which is why the CA could not open it. I have spoken with my leadership and we are just going to go a different route. Thank you so much for your assistance!
09-25-2019 04:27 AM
09-25-2019 10:06 AM
09-25-2019 09:03 PM
Hi,
What is the RSA Key length used by the client for this transaction?
If you are okay with sharing the config/debug logs, please share following:
---------
sh run | sec crypto
sh cry pki server
sh cry pki cert
---------
and following debug logs for the enrolment attempt:
---------
debug crypto pki m
debug crypto pki t
debug crypto pki v
debug crypto pki c
----------
Note: Make sure to turn off the debugs after collection of logs (undebug all)
Regards,
Santhosh
09-26-2019 12:04 PM
Hello again,
I did some more research and it appears that Juniper only supports certificates from Entrust, Versign, and Microsoft. This may be why the Cisco CA was unable to open the CSR from the Juniper even though the Juniper was able to successfully obtain the CA certificate via SCEP. I do not think the juniper was using the CA's public key for the CSR which is why the CA could not open it. I have spoken with my leadership and we are just going to go a different route. Thank you so much for your assistance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide