cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
707
Views
0
Helpful
2
Replies
Highlighted
Beginner

CSR Generation on ASR 1001x


Hi Trying to generate a CSR for a new trust point I've created on my ASR 1001x Router and I'm getting this error?


crypto pki trustpoint ACME
enrollment url http://192.168.1.1:80
fqdn mysite.acme.com
subject-name C=UK, ST=Pall Mall, L=London, O=Acme, OU=LAB, CN=mysit.acme.com
vrf FrontDoor

revocation-check none
rsakeypair ACME-KEY 2048

 

crypto pki enroll ACME

 

% You must authenticate the Certificate Authority before
you can enroll with it.

 

Any ideas why this is happening the router is fresh out of the box. The only other crypto commands to have been issued are:

 

crypto key generate rsa general-keys modulus 2048

 

The default crypto trustpoints are still configured.

Trustpoint CISCO_IDEVID_SUDI:

Trustpoint CISCO_IDEVID_SUDI0:

Trustpoint TP-self-signed

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

I am assuming you are trying to enroll to a CA (192.168.1.1) that is external to your ASR, in otherwords, you will need to authenticate this external CA. this is so the ASR actually trusts the CA before it enrolls

 

check this URL:  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3650-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_0101.pdf

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

I am assuming you are trying to enroll to a CA (192.168.1.1) that is external to your ASR, in otherwords, you will need to authenticate this external CA. this is so the ASR actually trusts the CA before it enrolls

 

check this URL:  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3650-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_0101.pdf

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Highlighted

Ah you've pointed me in the right direction. I see the issue now.

Thanks