cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
10
Helpful
4
Replies
Highlighted
Beginner

SCEP issue with Juniper

Hello All,

   I am experiencing an issue when trying to enroll a juniper certificate with a Cisco CA.  I get the following from debug.  Has anyone seen this and how did you resolve it?  Thanks!

CRYPTO_CS: received a SCEP GetCACert request

CRYPTO_CS: CA certificate sent

CRYPTO_CS: received a SCEP request, 2263 bytes

CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_15  

CRYPTO_CS: failed to open signed data

CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_15  

CRYPTO_CS: failed to read SCEP request

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: SCEP issue with Juniper

Hello again,

   I did some more research and it appears that Juniper only supports certificates from Entrust, Versign, and Microsoft.  This may be why the Cisco CA was unable to open the CSR from the Juniper even though the Juniper was able to successfully obtain the CA certificate via SCEP.  I do not think the juniper was using the CA's public key for the CSR which is why the CA could not open it.  I have spoken with my leadership and we are just going to go a different route.  Thank you so much for your assistance!

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: SCEP issue with Juniper

Hi,

Although I am not familiar with operational specifics of the Juniper PKI Client, will give it a try based on generic PKI knowledge :-)
Based on the logs shared (of PKI/CA server), it looks like CA server failed to read the Signed data of Cert request received post GetCA exchange.

Please check if the Juniper/Client device managed to install the CA certificate and the same was used to sign the following Cert request.

Also, share the Platform and OS details of CA server.

Regards,
Santhosh
Highlighted
Beginner

Re: SCEP issue with Juniper

Hi, The CA server is a Cisco 4451 with IOS XE version 16.06.05. Part of the juniper enrollment process is to request the CA certificate. I do this and the certificate is received as evidenced by the verified fingerprints. The CA certificate is tied to a profile that is called when you are requesting the local cert on the juniper device.
Highlighted
Cisco Employee

Re: SCEP issue with Juniper

Hi,

 

What is the RSA Key length used by the client for this transaction?

If you are okay with sharing the config/debug logs, please share following:

---------

sh run | sec crypto

sh cry pki server

sh cry pki cert

---------

and following debug logs for the enrolment attempt:

---------
debug crypto pki m
debug crypto pki t
debug crypto pki v
debug crypto pki c
----------

 

Note: Make sure to turn off the debugs after collection of logs (undebug all)

 

Regards,

Santhosh

 

Highlighted
Beginner

Re: SCEP issue with Juniper

Hello again,

   I did some more research and it appears that Juniper only supports certificates from Entrust, Versign, and Microsoft.  This may be why the Cisco CA was unable to open the CSR from the Juniper even though the Juniper was able to successfully obtain the CA certificate via SCEP.  I do not think the juniper was using the CA's public key for the CSR which is why the CA could not open it.  I have spoken with my leadership and we are just going to go a different route.  Thank you so much for your assistance!

View solution in original post