04-22-2020 08:36 AM
Hello,
Recently I wanted to do an implementation of IKEV2 to a cisco ISR 4200 model. So the first thing I wanted to do is to create a CA in the ios router and sent an enrollment to itself to get a certificate for my router.
I successfully sent the enrollment but in spite of the fact that I have enabled "grant auto " in my configuration I see the certificate is in "pending" state and at my ca requests I do not see and requests to have come.
I tried a simple configuration of the CA server
crypto pki server CANew
no database archive
grant auto
hash sha256
lifetime certificate 7305
lifetime ca-certificate 7305 23 59
and I have created a trust point
crypto pki trustpoint myrouter8
enrollment url http://X.X.X.X:80
fqdn X.X.X.X
ip-address X.X.X.X
subject-name CN=X.X.X.X,OU=IT
revocation-check none
rsakeypair router
hash sha256
eku request server-auth client-auth
When I tried to debug the pki communication I receive the following errors:
Apr 22 15:19:15.362: CRYPTO_PKI: Retry 2
Apr 22 15:19:30.362: CRYPTO_PKI: Retry 3
Apr 22 15:19:45.363: CRYPTO_PKI: Retry 4
Apr 22 15:20:00.406: CRYPTO_PKI: Retry 5
Apr 22 15:20:15.406: CRYPTO_PKI: Retry 6
Apr 22 15:20:30.406: %PKI-3-SOCKETSELECT: Failed to select the socket.
Apr 22 15:20:30.407: CRYPTO_PKI: unlocked trustpoint myrouter8, refcount is 0
Apr 22 15:20:30.407: CRYPTO_PKI: status = 65535: failed to send out the pki message
Apr 22 15:20:30.407: CRYPTO_PKI: status = 1: fail to send out pkcsreq
Apr 22 15:20:30.407: PKI:get_cert myrouter8 0x4 (expired=0) FAILED
Apr 22 15:20:30.407: CRYPTO_PKI : connect retry node already present for myrouter8
Apr 22 15:20:30.407: CRYPTO_PKI: Starting retry timer of 1 minutes for trust_point myrouter8, attempt : 21
Apr 22 15:20:39.033: %CRYPTO-4-IKMP_NO_SA: IKE message from 79.129.7.99 has no SA and is not an initialization offer
Apr 22 15:21:30.407: PKI:get_cert myrouter8 0x4 (expired=0) FAILED
Apr 22 15:21:30.407: CRYPTO_PKI: locked trustpoint myrouter8, refcount is 1
Apr 22 15:21:30.407: CRYPTO_PKI: http connection opened
Apr 22 15:21:30.408: CRYPTO_PKI: Sending HTTP message
Apr 22 15:31:30.472: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
Host: X.X.X.X
Does anyone know if this is a bug or if there is anything wrong with my configuration? Thank you!
04-22-2020 08:57 AM
04-22-2020 12:31 PM - edited 04-22-2020 12:32 PM
i think "ip http-server" is already enable other wise you can configure these config
crypto pki server CANew
no database archive
grant auto
hash sha256
lifetime certificate 7305
lifetime ca-certificate 7305 23 59
unless cosmotech forget to put no shutdown
crypto pki server CANew no database archive grant auto hash sha256 lifetime certificate 7305 lifetime ca-certificate 7305 23 59 no shutdown
04-22-2020 02:36 PM
I have the command "no shut" ..and I verified that the state of my cisco ios CA server is not disabled. That is why when I want to enroll a trustpoint the procedure starts and I reach up to the point where I am asked to say yes to "Request Certificate from CA". After that point I do not get any certificate. In addition I can see that the certificate status of my trustpoint is in "pending" but I could not see any certificate requests to come at the CA. Even if they come at my configuration I have "grant auto" command.
Normally I should have received a response "* %PKI-6-CERTRET: Certificate received from Certificate Authority" after the "Request Certificate from CA" which I do not get. From debugs clearly soomething is wrong.
04-22-2020 02:26 PM
I have enabled the http service.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide