Re: Cisco IOS CA - Certificate enrolment from router to itself fails

cosmostech · ‎04-22-2020

Hello,

Recently I wanted to do an implementation of IKEV2 to a cisco ISR 4200 model. So the first thing I wanted to do is to create a CA in the ios router and sent an enrollment to itself to get a certificate for my router.

I successfully sent the enrollment but in spite of the fact that I have enabled "grant auto " in my configuration I see the certificate is in "pending" state and at my ca requests I do not see and requests to have come.

I tried a simple configuration of the CA server

crypto pki server CANew
no database archive
grant auto
hash sha256
lifetime certificate 7305
lifetime ca-certificate 7305 23 59

and I have created a trust point

crypto pki trustpoint myrouter8
enrollment url http://X.X.X.X:80
fqdn X.X.X.X
ip-address X.X.X.X
subject-name CN=X.X.X.X,OU=IT
revocation-check none
rsakeypair router
hash sha256
eku request server-auth client-auth

When I tried to debug the pki communication I receive the following errors:

Apr 22 15:19:15.362: CRYPTO_PKI: Retry 2
Apr 22 15:19:30.362: CRYPTO_PKI: Retry 3
Apr 22 15:19:45.363: CRYPTO_PKI: Retry 4
Apr 22 15:20:00.406: CRYPTO_PKI: Retry 5
Apr 22 15:20:15.406: CRYPTO_PKI: Retry 6
Apr 22 15:20:30.406: %PKI-3-SOCKETSELECT: Failed to select the socket.
Apr 22 15:20:30.407: CRYPTO_PKI: unlocked trustpoint myrouter8, refcount is 0
Apr 22 15:20:30.407: CRYPTO_PKI: status = 65535: failed to send out the pki message
Apr 22 15:20:30.407: CRYPTO_PKI: status = 1: fail to send out pkcsreq
Apr 22 15:20:30.407: PKI:get_cert myrouter8 0x4 (expired=0) FAILED
Apr 22 15:20:30.407: CRYPTO_PKI : connect retry node already present for myrouter8
Apr 22 15:20:30.407: CRYPTO_PKI: Starting retry timer of 1 minutes for trust_point myrouter8, attempt : 21
Apr 22 15:20:39.033: %CRYPTO-4-IKMP_NO_SA: IKE message from 79.129.7.99 has no SA and is not an initialization offer
Apr 22 15:21:30.407: PKI:get_cert myrouter8 0x4 (expired=0) FAILED
Apr 22 15:21:30.407: CRYPTO_PKI: locked trustpoint myrouter8, refcount is 1
Apr 22 15:21:30.407: CRYPTO_PKI: http connection opened
Apr 22 15:21:30.408: CRYPTO_PKI: Sending HTTP message

Apr 22 15:31:30.472: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
Host: X.X.X.X

Does anyone know if this is a bug or if there is anything wrong with my configuration? Thank you!

Rob Ingram · ‎04-22-2020

Hi,
I assume you have "ip http server" enabled on the router that acts as the CA?

Sheraz.Salim · ‎04-22-2020

i think "ip http-server" is already enable other wise you can configure these config

crypto pki server CANew
no database archive
grant auto
hash sha256
lifetime certificate 7305
lifetime ca-certificate 7305 23 59

unless cosmotech forget to put no shutdown

crypto pki server CANew
no database archive
grant auto
hash sha256
lifetime certificate 7305
lifetime ca-certificate 7305 23 59
no shutdown

please do not forget to rate.

cosmostech · ‎04-22-2020

I have the command "no shut" ..and I verified that the state of my cisco ios CA server is not disabled. That is why when I want to enroll a trustpoint the procedure starts and I reach up to the point where I am asked to say yes to "Request Certificate from CA". After that point I do not get any certificate. In addition I can see that the certificate status of my trustpoint is in "pending" but I could not see any certificate requests to come at the CA. Even if they come at my configuration I have "grant auto" command.

Normally I should have received a response "* %PKI-6-CERTRET: Certificate received from Certificate Authority" after the "Request Certificate from CA" which I do not get. From debugs clearly soomething is wrong.

cosmostech · ‎04-22-2020

I have enabled the http service.