cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
0
Helpful
1
Replies

c3550 certificate storage issue.

michael.leblanc
Level 4
Level 4

We setup a Cisco IOS Certificate Server, and successfully issued several certificates (via SCEP enrollment) to routers participating in a DMVPN. We then tried to enroll a c3550 (c3550-ipservicesk9-mz.122-52.SE) via SCEP, but encountered an issue with certificate storage. Both devices convey an NTP status of synchronized.

When we generate a certificate request on the c3550, we see the certificate status as "pending" on the 3550, and we see the certificate request in the enrollment request database on the CA:

dist01#sh crypto pki certificates
CA Certificate
<snipped>
Router Self-Signed Certificate
<snipped>
Certificate
  Subject:
    Name: dist01.domain.null
   Status: Pending
   Key Usage: General Purpose
   Certificate Request Fingerprint MD5: 4D728B67
   Certificate Request Fingerprint SHA1: A94BB8B7
   Associated Trustpoint: ca.domain.null

ca# crypto pki server ca.domain.null info requests
Enrollment Request Database:
Router certificates requests:
ReqID   State          Fingerprint    SubjectName
--------------------------------------------------------------
7          pending    4D728B67    hostname=dist01.domain.null,cn=dist01.domain.null


When grant the certificate request, and confirm the status change on the CA.

ca# crypto pki server ca.domain.null grant 7

ca# crypto pki server ca.domain.null info requests
Enrollment Request Database:
Router certificates requests:
ReqID      State          Fingerprint    SubjectName
--------------------------------------------------------------
7          granted    4D728B67    hostname=dist01.domain.null,cn=dist01.domain.null


We see the c3550 retrieve the certificate with Wireshark. The CA then shows the enrollment request database as empty, but the c3550 no longer lists the certificate with any status (available or pending). The c3550 has failed to store the issued certificate.

ca#crypto pki server ca.domain.null info requests
The Enrollment Request Database is empty.

dist01#sh crypto pki certificates
CA Certificate
<snipped>
Router Self-Signed Certificate
<snipped>


When we examine NVRAM we only see the pre-existing CA and Self-Signed certificates, and confirmation that adequate space exists to accommodate an additional certificate (344010 bytes free).

Anyone have any idea why the c3550 would fail to store the certificate following retrieval?

The c3550 Trustpoint is configured as follows:

crypto pki trustpoint ca.domain.null
enrollment url http://ca.domain.null:80
usage ike
serial-number none
ip-address none
fingerprint D4F3751B <snipped>
subject-name cn=dist01.domain.null
revocation-check crl
rsakeypair dist01.domain.null

Any assisatance would be appreciated.

Best Regards,
Mike

1 Reply 1

michael.leblanc
Level 4
Level 4

Update:

We performed a manual (cut and paste) PKI enrollment via the terminal, and successfully imported a certificate into the c3550.

Still open to hearing any thoughts on the failure to store the certificate via SCEP enrollment.

Best Regards,

Mike