cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7963
Views
0
Helpful
7
Replies

Certificate Enrollment Failed

gufari101
Level 1
Level 1

Hi guys

I've a profile on my VPN Firewall to enroll my device with my private CA. the Enrollment URL are configured as mentioned below.

enrollment url http://192.168.18.21:80/certsrv/mscep/mscep.dll
scep-forwarding-url value http://192.168.18.21/certsrv/mscep/mscep.dll

I'm using both Anyconnect client 4.3.x and 4.4.x and while connecting to my VPN profile it gives the error logs below.

[Time Stamp] Certificate Enrollment Initiating - Please wait...
[Time Stamp] Certificate Enrollment Failed.

Please find the attached DART output from same workstation.

Regards

7 Replies 7

Rahul Govindan
VIP Alumni
VIP Alumni

Could you attach your ASA config and client xml profile after removing all sensitive information? I am assuming you are using scep proxy so there are 3 things you need to have:

1) scep enrollment enabled on the tunnel-group with aaa+cert auth.

2) scep-forwarding url on the group-policy

3) certificate request parameters on the client xml (not SCEP=URL)

Find the requested files

Is the profile you provided the right one? It does not seem to have any certificate enrollment parameters. I should a section similar to this in the xml profile:

<CertificateEnrollment>
            <CertificateImportStore>All</CertificateImportStore>
            <CertificateSCEP>
                <Name_CN>%USER%</Name_CN>
                <Department_OU>Technology</Department_OU>
                <Company_O>Company</Company_O>
                <State_ST>TX</State_ST>
                <Country_C>US</Country_C>
                <City_L>Dallas</City_L>
                <KeySize>2048</KeySize>
            </CertificateSCEP>
</CertificateEnrollment>

Please find the attached profile which is used to download the certificate.

Looks like you have some wrong parameters in the profile.

Invalid CertificateEnrollment CertificateExpirationThreshold="365" specified in profile. Value from 0 to 180 expected.

Try chaining the  <CertificateExpirationThreshold>365</CertificateExpirationThreshold> value to 180 and test.

Also, run a "debug crypto ca scep-proxy 255" on ASA when cert enrollment happens.

I tried to change and enabled debug also, didn't get any debug logs and still failure to download certificate.

dpfra/sec/act# debug crypto ca scep-proxy 255

Did you change it on the ASA or the client? This should be changed on the ASA so that the profile gets updated during connection. If you made the change on the ASA, can you try again and get the DART logs after a failed connection?