Showing results for 
Search instead for 
Did you mean: 

Can not get cerficate from CA server

Hi, I am having problem re-newing some DMVPN spoke router certificates from CA server, all my DMVPN routers have pratically the same configuration, certificates are manully granted on CA.

See my comments start with ##

## trust point configuration

crypto pki trustpoint 01.2801.MyCo-CA.01

enrollment url http://01.2801.MyCo-CA.01:80

revocation-check crl

source interface Dialer1

auto-enroll 70

## current enrollment status is Pending, but CA server does not receive the certificate request

Nag.Jpn.2801.01#sh crypto pki trustpoints status

Trustpoint 01.2801.MyCo-CA.01:

  Issuing CA certificate configured:

    Subject Name:


    Fingerprint MD5: BF181599 0AFC2A8D 37C11333 DA6DD910

    Fingerprint SHA1: E1C7417C B36734F0 0C315B67 DF961CE9 959CAC60

  Router General Purpose certificate configured:

    Subject Name:

    Fingerprint MD5: B2630A36 3AF568C3 B1FD5F81 C4FE19C3

    Fingerprint SHA1: 835D4B56 459253A9 E5A637FD 55A1EAAB 4957B5B7

  Last enrollment status: Pending <==

  Next enrollment attempt:

    21:58:49 JST Aug 2 2011

    * Configuration will not be saved after enrollment *


    Keys generated ............. Yes (General Purpose, non-exportable)

    Issuing CA authenticated ....... Yes

    Certificate request(s) ..... Yes

## Manually request certificate from CA results in FAIL right away

Nag.Jpn.2801.01(config)#crypto pki enroll 01.2801.MyCo-CA.01

Trustpoint 01.2801.MyCo-CA.01 has already enrolled and has a router cert issued to it.

If you successfully re-enroll this trustpoint,the existing certificate will be replaced.

Do you want to continue with re-enrollment? [yes/no]: yes


% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.


Re-enter password:

% The subject name in the certificate will include:

% Include the router serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 0B0F75A9

% Include an IP address in the subject name? [no]: no

Request certificate from CA? [yes/no]: yes

% Attempt to request a certificate failed: status = FAIL <==???

## syslog

Aug  2 15:58:49.834 JST: %PKI-3-CERTRETFAIL: Certificate enrollment failed.

Aug  2 16:33:18.872 JST: %PKI-3-CERTRETFAIL: Certificate enrollment failed.

"debug crypto pki transaction" does not reveal anything, I am wondering when client sends certificate request to CA server, and CA then rebooted before the certificate is granted, would that cause the above problem? if so, how do I remove pending certificate request from the client?



Never mind, I just manually did certificate enrollment, I don't need to worry about this problem in another 2 years. ;-)


I can tell you that auto-enroll will not work unless your CA server is set to grant auto and currently has a shadow (rollover cert) ready to install.  However that does not expalin whay the manual process failed.  You need to address that before you attemp to correct the Auto-Enroll.

Content for Community-Ad