cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

SCEP issue with Juniper

YORKIE23
Beginner
Beginner

Hello All,

   I am experiencing an issue when trying to enroll a juniper certificate with a Cisco CA.  I get the following from debug.  Has anyone seen this and how did you resolve it?  Thanks!

CRYPTO_CS: received a SCEP GetCACert request

CRYPTO_CS: CA certificate sent

CRYPTO_CS: received a SCEP request, 2263 bytes

CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_15  

CRYPTO_CS: failed to open signed data

CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_15  

CRYPTO_CS: failed to read SCEP request

1 ACCEPTED SOLUTION

Accepted Solutions

Hello again,

   I did some more research and it appears that Juniper only supports certificates from Entrust, Versign, and Microsoft.  This may be why the Cisco CA was unable to open the CSR from the Juniper even though the Juniper was able to successfully obtain the CA certificate via SCEP.  I do not think the juniper was using the CA's public key for the CSR which is why the CA could not open it.  I have spoken with my leadership and we are just going to go a different route.  Thank you so much for your assistance!

View solution in original post

4 REPLIES 4

Santhosha Shetty
Cisco Employee
Cisco Employee
Hi,

Although I am not familiar with operational specifics of the Juniper PKI Client, will give it a try based on generic PKI knowledge :-)
Based on the logs shared (of PKI/CA server), it looks like CA server failed to read the Signed data of Cert request received post GetCA exchange.

Please check if the Juniper/Client device managed to install the CA certificate and the same was used to sign the following Cert request.

Also, share the Platform and OS details of CA server.

Regards,
Santhosh

Hi, The CA server is a Cisco 4451 with IOS XE version 16.06.05. Part of the juniper enrollment process is to request the CA certificate. I do this and the certificate is received as evidenced by the verified fingerprints. The CA certificate is tied to a profile that is called when you are requesting the local cert on the juniper device.

Hi,

 

What is the RSA Key length used by the client for this transaction?

If you are okay with sharing the config/debug logs, please share following:

---------

sh run | sec crypto

sh cry pki server

sh cry pki cert

---------

and following debug logs for the enrolment attempt:

---------
debug crypto pki m
debug crypto pki t
debug crypto pki v
debug crypto pki c
----------

 

Note: Make sure to turn off the debugs after collection of logs (undebug all)

 

Regards,

Santhosh

 

Hello again,

   I did some more research and it appears that Juniper only supports certificates from Entrust, Versign, and Microsoft.  This may be why the Cisco CA was unable to open the CSR from the Juniper even though the Juniper was able to successfully obtain the CA certificate via SCEP.  I do not think the juniper was using the CA's public key for the CSR which is why the CA could not open it.  I have spoken with my leadership and we are just going to go a different route.  Thank you so much for your assistance!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: