02-27-2019 03:54 AM
Hi Trying to generate a CSR for a new trust point I've created on my ASR 1001x Router and I'm getting this error?
crypto pki trustpoint ACME
enrollment url http://192.168.1.1:80
fqdn mysite.acme.com
subject-name C=UK, ST=Pall Mall, L=London, O=Acme, OU=LAB, CN=mysit.acme.com
vrf FrontDoor
revocation-check none
rsakeypair ACME-KEY 2048
crypto pki enroll ACME
% You must authenticate the Certificate Authority before
you can enroll with it.
Any ideas why this is happening the router is fresh out of the box. The only other crypto commands to have been issued are:
crypto key generate rsa general-keys modulus 2048
The default crypto trustpoints are still configured.
Trustpoint CISCO_IDEVID_SUDI:
Trustpoint CISCO_IDEVID_SUDI0:
Trustpoint TP-self-signed
Solved! Go to Solution.
02-27-2019 03:59 AM
I am assuming you are trying to enroll to a CA (192.168.1.1) that is external to your ASR, in otherwords, you will need to authenticate this external CA. this is so the ASR actually trusts the CA before it enrolls
check this URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3650-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_0101.pdf
02-27-2019 03:59 AM
I am assuming you are trying to enroll to a CA (192.168.1.1) that is external to your ASR, in otherwords, you will need to authenticate this external CA. this is so the ASR actually trusts the CA before it enrolls
check this URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3650-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_0101.pdf
02-27-2019 05:37 AM
Ah you've pointed me in the right direction. I see the issue now.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide