08-02-2011 12:59 AM
Hi, I am having problem re-newing some DMVPN spoke router certificates from CA server, all my DMVPN routers have pratically the same configuration, certificates are manully granted on CA.
See my comments start with ##
## trust point configuration
crypto pki trustpoint 01.2801.MyCo-CA.01
enrollment url http://01.2801.MyCo-CA.01:80
revocation-check crl
source interface Dialer1
auto-enroll 70
## current enrollment status is Pending, but CA server does not receive the certificate request
Nag.Jpn.2801.01#sh crypto pki trustpoints status
Trustpoint 01.2801.MyCo-CA.01:
Issuing CA certificate configured:
Subject Name:
cn=01.2801.MyCo-CA.01,l=Sunnyvale,st=CA,c=US
Fingerprint MD5: BF181599 0AFC2A8D 37C11333 DA6DD910
Fingerprint SHA1: E1C7417C B36734F0 0C315B67 DF961CE9 959CAC60
Router General Purpose certificate configured:
Subject Name:
hostname=Nag.Jpn.2801.01.MyCo.com
Fingerprint MD5: B2630A36 3AF568C3 B1FD5F81 C4FE19C3
Fingerprint SHA1: 835D4B56 459253A9 E5A637FD 55A1EAAB 4957B5B7
Last enrollment status: Pending <==
Next enrollment attempt:
21:58:49 JST Aug 2 2011
* Configuration will not be saved after enrollment *
State:
Keys generated ............. Yes (General Purpose, non-exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes
## Manually request certificate from CA results in FAIL right away
Nag.Jpn.2801.01(config)#crypto pki enroll 01.2801.MyCo-CA.01
Trustpoint 01.2801.MyCo-CA.01 has already enrolled and has a router cert issued to it.
If you successfully re-enroll this trustpoint,the existing certificate will be replaced.
Do you want to continue with re-enrollment? [yes/no]: yes
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: Nag.Jpn.2801.01.MyCo.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 0B0F75A9
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL <==???
## syslog
Aug 2 15:58:49.834 JST: %PKI-3-CERTRETFAIL: Certificate enrollment failed.
Aug 2 16:33:18.872 JST: %PKI-3-CERTRETFAIL: Certificate enrollment failed.
"debug crypto pki transaction" does not reveal anything, I am wondering when client sends certificate request to CA server, and CA then rebooted before the certificate is granted, would that cause the above problem? if so, how do I remove pending certificate request from the client?
Thanks,
08-02-2011 11:35 AM
Never mind, I just manually did certificate enrollment, I don't need to worry about this problem in another 2 years. ;-)
05-29-2013 08:08 AM
I can tell you that auto-enroll will not work unless your CA server is set to grant auto and currently has a shadow (rollover cert) ready to install. However that does not expalin whay the manual process failed. You need to address that before you attemp to correct the Auto-Enroll.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide