Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4657
Views
0
Helpful
7
Replies

Secure Mobility Client Certificate Problem | scep-forwarding-url

Go to solution
ian.mcgowan
Level 1
Level 1

‎06-15-2011 03:59 AM

Hi All,

I am having a problem configuring SCEP for my secure mobilty client.  I have created a connection profile to allow certificate requestes but when I fill in the scep-forwarding-url field I get an error. 

The CA we are using is an internal MS CA with SCEP already enabled.  This has been configured for a long time with our current Cisco VPN client using certificate authentication.  The ASA is running 8.4.1.

Here is the error I get when I try to enter the command into the group policy associated with my certificate enrollement connection profile:

group-policy SSLGP attributes

scep-forwarding-url value http://10.1.1.2/certsrv/mscep/mscep.dll

Attempting to retrieve the CA/RA certificate(s) using the URL. Please wait ...

Received 3 CA/RA certificate(s) using the SCEP URL.

NON-RESIDENT CERT: serial: 11111111000100000145, subject: cn=SCEP_ADD_ON,o=OUNIT,c=UK

NON-RESIDENT CERT: serial: 11111111000100000146, subject: cn=SCEP_ADD_ON,o=OUNIT,c=UK

NON-RESIDENT CERT: serial: 11111111478AAB288393FAFf2a3E274, subject: cn=CERTSVR-01

WARNING: Please check if you have all the required certificate(s) in the config to authenticate the certificates that will be issued using this SCEP URL

Can someone explain why this is happening as it will not take the config?

Thanks in advance.

Ian

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎06-22-2011 03:01 AM

Hi Ian,

in case you're still having issues with this (as I see the question is a week old): it seems like the ASA asks you to first create a trustpoint (in your case actually 3 may be required, one for each CA cert) and import the CA cert into it.

hth

Herbert

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎06-22-2011 03:01 AM

Hi Ian,

in case you're still having issues with this (as I see the question is a week old): it seems like the ASA asks you to first create a trustpoint (in your case actually 3 may be required, one for each CA cert) and import the CA cert into it.

hth

Herbert

0 Helpful

Go to solution
reymd
Level 1
Level 1

‎07-26-2011 08:41 PM

iI am also having same issue. Anyone able to figure this out?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
ian.mcgowan
Level 1
Level 1
In response to reymd

‎07-27-2011 02:20 AM

Hi Reymd, Herbert,

I managed to get this fixed with the assistance of TAC.

The problem is that the steps required to get SCEP proxy are missing from the documentation.  As Herbert suggested above, you must add a trust point for certificates that are failing when you enabled SCEP proxy.  I think this is because the Microsoft CA uses the SCEP add-on as an RA.  I'm not sure if it's required using Cisco router CA.

Now that the trust points are added for the certificates above (I only added the SCEP add-on ones) it works perfectly.

Thanks,

Ian

0 Helpful

Go to solution
DougNotini_2
Level 1
Level 1
In response to ian.mcgowan

‎01-07-2012 05:41 AM

Hi Ian,

I am having the same problem and I noticed you got resolution through TAC. Could you elaborate on the fix?

Do you have the steps required to create the necessary Trustpoints?

Thanks,

Doug

0 Helpful

Go to solution
ian.mcgowan
Level 1
Level 1
In response to DougNotini_2

‎01-11-2012 03:09 AM

Hi Doug,

If you create a trustpoint for each SCEP RA certificate it rejects and then enroll them manually via the terminal that should do the trick.  I exported the certificates from Microsoft CA first to base64 format and then opened them in notepad to import them.

Thanks,

Ian

0 Helpful

Go to solution
amilkar-loyo
Level 1
Level 1
In response to ian.mcgowan

‎05-21-2013 10:23 AM

Ian:

I'am a roockie working on CA. I did the instalation over 2003 server and I checked and scep server is reachable in fact if I enter ther scep url I  get a message regarding the thumbprint and password. I got the same messege regarding the additional trustpoints, but in my environment I just have only one CA server. I notice by the certificate serial that I have the certificates generated on the CA numbered as 2 and 3 respectively but I have three questions.    

1 .- I checked If the certificates could be exported as a .cer file but I just have two options as .dat or as text but I dont know how to import the text because the format looks different from the text chains we use to generate the trust points.

2.- Because my config was not working I erased the ASA config and gave a different hostname to the ASA in fact I create an identity certificate with this name ¿Do i need to return to the original hostname?

3.- Does the TAC gave You additional information on how to deal with CA server?

0 Helpful

Go to solution
mors105
Level 1
Level 1

‎10-06-2013 10:48 AM

All, I have resolved this issue myself. I've got to say, without raising a TAC, Cisco's support on this issue is really poor. The support in this forum looks to be hit and miss at the very best, and there is no Cisco documentation of how to complete this process even though it's one of their 'major products' and its included in their examination criteria.

No one should be able to complete this with the current Cisco documentation, no one. If you're using a 2008 server with NDES, and trying to use proxy SCEP, then this solution and guidance from Cisco is completely un-doable.

If you need help with this error contact me directly as you're not going to get help from Cisco on it without a TAC.

Regards

Mark

0 Helpful
Customers Also Viewed These Support Documents