Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
1
Replies

Toruble getting PKI cert from MS-SCEP Server

Brian Green
Level 1
Level 1

‎12-04-2015 05:51 AM - edited ‎03-10-2019 12:32 AM

Hello,

 

I am having a bit of a strange problem.  I am trying to get a certificate from an MS-SCEP Server.  If the DeviceAuth template (on the MS CA) is set not to require manager approval, it works.  When I enable manager approval, I see the request get created and go into Pending.  Once it is there, whether I issue it or not the request shows as REJECTED by the CA.  Looking at the debug logs (debug crypto pki trans and debug crypto pki scep) I see a GetCACert request, a PKCSReq, a CertRep - PENDING, a GetCertInitial, a CertRep - PENDING, another GetCertInitial, then a CertRep - REJECTED, and after that I see status = 101 and Fail Info=4.

 

The trustpoint configuration is fairly straight-forward:

 

crypto pki trustpoint TP_Name

  enrollment mode ra

  enrollment url http://<IP of SCEP Server>:80/CertSrv/mscep/mscep.dll

  usage ike

  serial-number

  subject-name <Text string>

  vrf <VRF Name>

  revocation-check none

  rsakeypair <RSA Key Name> 2048

 

That's all I have - has anyone got any ideas?

 

Thanks,

 

Brian

Labels:
0 Helpful
1 Reply 1

Brian Green
Level 1
Level 1

‎12-04-2015 07:49 AM

I should mention - I've tried this from a 4451-X and a 3925E - same behaviour from both.  The 3925E is running 15.4(3)M3, and the 4451-X is running 15.4(3)S3

0 Helpful
Customers Also Viewed These Support Documents