Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1692
Views
0
Helpful
2
Replies

Windows Server 2012 NDES - Problem Cisco IOS

Peter Long
Level 1
Level 1

‎01-07-2015 08:33 AM - edited ‎03-10-2019 12:20 AM

I've got a client with a new PKI environment, they have an Offline root > Intermediate > Issuing CA running NDES

I followed this procedure to configure NDES on the issuing (Sub CA).

When I built it in the test network with a standalone Enterprise root CA running NDES it worked fine.

In production the devices cannot get a cert if I run a debug on the network devices (Cisco)

I see this error;

Jan  4 10:31:11.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/21, changed state to up
Jan  4 10:32:40.648: CRYPTO_PKI: pki request queued properly
Jan  4 10:32:40.648: CRYPTO_PKI: Sending CA Certificate Request:
GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=HG-Trustpoint HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.1.4.41


Jan  4 10:32:40.648: CRYPTO_PKI: locked trustpoint HG-Trustpoint, refcount is 1
Jan  4 10:32:40.656: CRYPTO_PKI: http connection opened
Jan  4 10:32:40.656: CRYPTO_PKI: Sending HTTP message

Jan  4 10:32:40.656: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.1.4.41


Jan  4 10:32:40.656: CRYPTO_PKI: unlocked trustpoint HG-Trustpoint, refcount is 0
Jan  4 10:32:40.656: CRYPTO_PKI: locked trustpoint HG-Trustpoint, refcount is 1
Jan  4 10:32:40.673: CRYPTO_PKI: unlocked trustpoint HG-Trustpoint, refcount is 0
Jan  4 10:32:40.673: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 7946
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/8.5
Date: Wed, 07 Jan 2015 10:30:36 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

Jan  4 10:32:40.673: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=HG-Trustpoint)

Jan  4 10:32:40.673: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_certc_pkcs7_extract_certs_and_crls failed
Jan  4 10:32:40.673: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_pkcs7_extract_ca_cert returned
Jan  4 10:32:40.673: CRYPTO_PKI: Unable to read CA/RA certificates.
Jan  4 10:32:40.673: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Jan  4 10:32:40.673: CRYPTO_PKI: transaction GetCACert completed

 

At first i thought it was a problem with the signature algorithm on the certs which was wrong, so I rebuilt everything and now its right (sha1).

I've tried from multiple devices (switches, routers, firewalls etc)

Still it will not work

If I log a TAC call to Cisco they will just blame Microsoft and say my config is fine (which I can't argue with because it the same config I used on the test bench!)

Help

 

Labels:
0 Helpful
2 Replies 2

Peter Long
Level 1
Level 1

‎01-08-2015 07:37 AM

 

After much sweating I know what the problem is it's the signature algorithm on the CA certs, I will get it all documented and post the fix :)

 

 

Pete

0 Helpful

Peter Long
Level 1
Level 1

‎01-08-2015 02:52 PM

How to Fix

NDES - Fails to Issue Certificates (Signature Algorithm)

Pete

0 Helpful
Customers Also Viewed These Support Documents