We find ourselves in a difficult situation with the
Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
There is no additional information in the VPN client logs where we have set 3-High for all logs.
In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enrol a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrolment dialog
2. Select Online
3. Select <New> for Certificate Authority
4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
5. Click Next to display the dialog where we can enter certificate details
6. Enter details in all fileds except IP Address and Domain
7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
1. We tried the same version ofthe client on a Win XP 32bit machine and got the same problem.
2. We tried disabling firewalls and virus scanning software on both clients and got the same problem.
Ok, combine a strong cup of coffee and google, and we have a solution.
It appears that if the Cisco router which runs the CA has the following configuration:
ip doman name x.y.z
then it is mandatory to use teh doman name x.y.z as a value for the CA Domain field on the Certificate Enrolment dialog in VPN Client.
Also, use http://
We found this discussion http://ieoc.com/forums/t/12071.aspx and the Cisco IOS Security Configuration Guide Version 12.4T useful when resolving our problem.
FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2691(config)#crypto pki server CERTSERVER
auto Automatically grant incoming SCEP enrollment requests
none Automatically reject any incoming SCEP enrollment request
ra-auto Automatically grant RA-authorized incoming SCEP enrollment request
% The CS config is locked. You need to shut the server off before changing its configuration.
Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
% Certificate Server enabled.