how to setup scep through https?

Unanswered Question
Jul 30th, 2008

I noticed that "enrollment url" command supports "https" and then tried to test it. I already enabled ssl support on my CA server(win2003 server). my ios configuration is:

2691_5(config)#crypto pki trustpoint pcserver

2691_5(ca-trustpoint)#show

enrollment mode ra

enrollment url https://hans-stress/certsrv/mscep/mscep.dll

ip-address 172.18.7.115

revocation-check crl

end

and then we I run "crypto pki authenticate pcserver" cmd, I got below problem:

2691_5(config)#crypto pki authenticate pcserver

% Error: failed to open file.

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

2691_5(config)#

Jul 30 14:00:09.909: CRYPTO_PKI: Can't find encryption certificate for trustpoint (pcserver)

Jul 30 14:00:09.913: CRYPTO_PKI: unlocked trustpoint pcserver, refcount is 0

Jul 30 14:00:09.973: CRYPTO_PKI: Adding peer certificate

Jul 30 14:00:10.013: CRYPTO_PKI: Added x509 peer certificate - (1419) bytes

Jul 30 14:00:10.013: CRYPTO_PKI: validation path has 1 certs

Jul 30 14:00:10.013: CRYPTO_PKI: Check for identical certs

Jul 30 14:00:10.013: CRYPTO_PKI: Create a list of suitable trustpoints

Jul 30 14:00:10.013: CRYPTO_PKI: Unable to locate cert record by issuername

Jul 30 14:00:10.013: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain

Jul 30 14:00:10.013: CRYPTO_PKI: No suitable trustpoints found

Jul 30 14:00:10.013: CRYPTO_PKI: Certificate validation failed

Jul 30 14:00:10.013: CRYPTO_PKI: unlocked trustpoint pcserver, refcount is 0

Jul 30 14:03:56.045: crypto_engine: Generate public/private keypair

I'm thinking that's because IOS need to verify server's certificate firstly but fail. how can I setup IOS to not validate server's certificate at this time? or, I missed some other configuration?

Thanks a lot.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Tue, 08/05/2008 - 14:50

To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.Router's with Dynamically Addressed Public

Address are not recommended to run Web VPN clients.

hansyin Tue, 08/05/2008 - 14:54

thanks. I'm just using "enrollment url" command. the problem is I hope to use "https url" instead of "http url". if using "https url", I have to tell IOS to accept peer's certificate firstly but I don't know how to do it.

Actions

This Discussion