Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2200
Views
10
Helpful
4
Replies

SCEP issue with Juniper

Go to solution
YORKIE23
Level 1
Level 1

‎09-24-2019 02:17 PM

Hello All,

   I am experiencing an issue when trying to enroll a juniper certificate with a Cisco CA.  I get the following from debug.  Has anyone seen this and how did you resolve it?  Thanks!

CRYPTO_CS: received a SCEP GetCACert request

CRYPTO_CS: CA certificate sent

CRYPTO_CS: received a SCEP request, 2263 bytes

CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_15  

CRYPTO_CS: failed to open signed data

CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_15  

CRYPTO_CS: failed to read SCEP request

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
YORKIE23
Level 1
Level 1
In response to Santhosha Shetty

‎09-26-2019 12:04 PM

Hello again,

   I did some more research and it appears that Juniper only supports certificates from Entrust, Versign, and Microsoft.  This may be why the Cisco CA was unable to open the CSR from the Juniper even though the Juniper was able to successfully obtain the CA certificate via SCEP.  I do not think the juniper was using the CA's public key for the CSR which is why the CA could not open it.  I have spoken with my leadership and we are just going to go a different route.  Thank you so much for your assistance!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Santhosha Shetty
Cisco Employee
Cisco Employee

‎09-25-2019 04:27 AM

Hi,

Although I am not familiar with operational specifics of the Juniper PKI Client, will give it a try based on generic PKI knowledge :-)
Based on the logs shared (of PKI/CA server), it looks like CA server failed to read the Signed data of Cert request received post GetCA exchange.

Please check if the Juniper/Client device managed to install the CA certificate and the same was used to sign the following Cert request.

Also, share the Platform and OS details of CA server.

Regards,
Santhosh

Go to solution
YORKIE23
Level 1
Level 1
In response to Santhosha Shetty

‎09-25-2019 10:06 AM

Hi, The CA server is a Cisco 4451 with IOS XE version 16.06.05. Part of the juniper enrollment process is to request the CA certificate. I do this and the certificate is received as evidenced by the verified fingerprints. The CA certificate is tied to a profile that is called when you are requesting the local cert on the juniper device.
0 Helpful

Go to solution
Santhosha Shetty
Cisco Employee
Cisco Employee
In response to YORKIE23

‎09-25-2019 09:03 PM

Hi,

 

What is the RSA Key length used by the client for this transaction?

If you are okay with sharing the config/debug logs, please share following:

---------

sh run | sec crypto

sh cry pki server

sh cry pki cert

---------

and following debug logs for the enrolment attempt:

---------
debug crypto pki m
debug crypto pki t
debug crypto pki v
debug crypto pki c
----------

 

Note: Make sure to turn off the debugs after collection of logs (undebug all)

 

Regards,

Santhosh

 

Go to solution
YORKIE23
Level 1
Level 1
In response to Santhosha Shetty

‎09-26-2019 12:04 PM

Hello again,

   I did some more research and it appears that Juniper only supports certificates from Entrust, Versign, and Microsoft.  This may be why the Cisco CA was unable to open the CSR from the Juniper even though the Juniper was able to successfully obtain the CA certificate via SCEP.  I do not think the juniper was using the CA's public key for the CSR which is why the CA could not open it.  I have spoken with my leadership and we are just going to go a different route.  Thank you so much for your assistance!

0 Helpful
Customers Also Viewed These Support Documents