Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
0
Helpful
2
Replies

CSR Generation on ASR 1001x

Go to solution
Gavin Sparks
Level 1
Level 1

‎02-27-2019 03:54 AM


Hi Trying to generate a CSR for a new trust point I've created on my ASR 1001x Router and I'm getting this error?


crypto pki trustpoint ACME
enrollment url http://192.168.1.1:80
fqdn mysite.acme.com
subject-name C=UK, ST=Pall Mall, L=London, O=Acme, OU=LAB, CN=mysit.acme.com
vrf FrontDoor

revocation-check none
rsakeypair ACME-KEY 2048

 

crypto pki enroll ACME

 

% You must authenticate the Certificate Authority before
you can enroll with it.

 

Any ideas why this is happening the router is fresh out of the box. The only other crypto commands to have been issued are:

 

crypto key generate rsa general-keys modulus 2048

 

The default crypto trustpoints are still configured.

Trustpoint CISCO_IDEVID_SUDI:

Trustpoint CISCO_IDEVID_SUDI0:

Trustpoint TP-self-signed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎02-27-2019 03:59 AM

I am assuming you are trying to enroll to a CA (192.168.1.1) that is external to your ASR, in otherwords, you will need to authenticate this external CA. this is so the ASR actually trusts the CA before it enrolls

 

check this URL:  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3650-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_0101.pdf

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎02-27-2019 03:59 AM

I am assuming you are trying to enroll to a CA (192.168.1.1) that is external to your ASR, in otherwords, you will need to authenticate this external CA. this is so the ASR actually trusts the CA before it enrolls

 

check this URL:  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3650-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_0101.pdf

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Gavin Sparks
Level 1
Level 1
In response to Dennis Mink

‎02-27-2019 05:37 AM

Ah you've pointed me in the right direction. I see the issue now.

Thanks

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card