Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2474
Views
0
Helpful
2
Replies

how to setup scep through https?

hansyin
Level 1
Level 1

‎07-30-2008 01:29 PM

I noticed that "enrollment url" command supports "https" and then tried to test it. I already enabled ssl support on my CA server(win2003 server). my ios configuration is:

2691_5(config)#crypto pki trustpoint pcserver

2691_5(ca-trustpoint)#show

enrollment mode ra

enrollment url https://hans-stress/certsrv/mscep/mscep.dll

ip-address 172.18.7.115

revocation-check crl

end

and then we I run "crypto pki authenticate pcserver" cmd, I got below problem:

2691_5(config)#crypto pki authenticate pcserver

% Error: failed to open file.

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

2691_5(config)#

Jul 30 14:00:09.909: CRYPTO_PKI: Can't find encryption certificate for trustpoint (pcserver)

Jul 30 14:00:09.913: CRYPTO_PKI: unlocked trustpoint pcserver, refcount is 0

Jul 30 14:00:09.973: CRYPTO_PKI: Adding peer certificate

Jul 30 14:00:10.013: CRYPTO_PKI: Added x509 peer certificate - (1419) bytes

Jul 30 14:00:10.013: CRYPTO_PKI: validation path has 1 certs

Jul 30 14:00:10.013: CRYPTO_PKI: Check for identical certs

Jul 30 14:00:10.013: CRYPTO_PKI: Create a list of suitable trustpoints

Jul 30 14:00:10.013: CRYPTO_PKI: Unable to locate cert record by issuername

Jul 30 14:00:10.013: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain

Jul 30 14:00:10.013: CRYPTO_PKI: No suitable trustpoints found

Jul 30 14:00:10.013: CRYPTO_PKI: Certificate validation failed

Jul 30 14:00:10.013: CRYPTO_PKI: unlocked trustpoint pcserver, refcount is 0

Jul 30 14:03:56.045: crypto_engine: Generate public/private keypair

I'm thinking that's because IOS need to verify server's certificate firstly but fail. how can I setup IOS to not validate server's certificate at this time? or, I missed some other configuration?

Thanks a lot.

Labels:
0 Helpful
2 Replies 2

smahbub
Level 6
Level 6

‎08-05-2008 02:50 PM

To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.Router's with Dynamically Addressed Public

Address are not recommended to run Web VPN clients.

0 Helpful

hansyin
Level 1
Level 1
In response to smahbub

‎08-05-2008 02:54 PM

thanks. I'm just using "enrollment url" command. the problem is I hope to use "https url" instead of "http url". if using "https url", I have to tell IOS to accept peer's certificate firstly but I don't know how to do it.

0 Helpful
Customers Also Viewed These Support Documents