Hello everyone,

     I am stuck on a issue.  I have  DMVPN environment and I am in the process of changing domains and thus new certs and cert servers.   I set up my Web server as my SCEP request handler (this is a Microsoft CA subordinate that handles the "NDES/MSCEP" cert publishing, and all is good.   I established the new trust point on all my routers and authenticated them, again so far so good.     Enrollment is where I am seeing a issue.   I have no issue enrolling older equipment (2821, 3845, 1941, 2911, ect) most with ios 15.0, but I cant enroll any of my 4321's running 15.5    is this a bug?

  The enrollment request goes through, and the CA issues the cert, the router can see the cert was issued:

CRYPTO_PKI: status = 100: certificate is granted

     note:I can see the certificate as issued in my CA as well.

The PKCS#7 message contains 1 cert and 0 crls.

Newly-issued Router Cert: issuer=cn=xxxxxx ,dc=xxxxxx ,dc=com serial=xxxxxxxxxxxxxx

start date: 14:50:30 EST Aug 6 2018

end date: 15:00:30 EST Sep 6 2018

router date: 15:00:56 EST Aug 6 2018

**********************  AND THIS IS WHERE I FIRST SEE A ISSUE********

PKI: Router cert issuer mismatch

CRYPTO_PKI: status = 65535: Could not extract router cert or crl from certrep,

CRYPTO_PKI: status = 65535: Failed to process the inner content

%PKI-6-CERTFAIL: Certificate enrollment failed.

I have searched around but can seem to find that "cert issuer mismatch" complaint anywhere.  I would think its something with the router not liking that the CA certificate it gets during the authentication step, is not the CA that is trying to issue the certificate, since authentication would get you the Root CA's public, and not the subordinate, or Issuing CA in this case, but I don't have a issue with the other routers I have enrolled just my newer 4321's.     Any help would be appreciated, I am guessing I need to enabled something or add a command to the trustpoint settings?

Thanks,

     Dave