how to setup scep through https?

Unanswered Question
Jul 30th, 2008
User Badges:

I noticed that "enrollment url" command supports "https" and then tried to test it. I already enabled ssl support on my CA server(win2003 server). my ios configuration is:

2691_5(config)#crypto pki trustpoint pcserver


enrollment mode ra

enrollment url https://hans-stress/certsrv/mscep/mscep.dll


revocation-check crl


and then we I run "crypto pki authenticate pcserver" cmd, I got below problem:

2691_5(config)#crypto pki authenticate pcserver

% Error: failed to open file.

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0


Jul 30 14:00:09.909: CRYPTO_PKI: Can't find encryption certificate for trustpoint (pcserver)

Jul 30 14:00:09.913: CRYPTO_PKI: unlocked trustpoint pcserver, refcount is 0

Jul 30 14:00:09.973: CRYPTO_PKI: Adding peer certificate

Jul 30 14:00:10.013: CRYPTO_PKI: Added x509 peer certificate - (1419) bytes

Jul 30 14:00:10.013: CRYPTO_PKI: validation path has 1 certs

Jul 30 14:00:10.013: CRYPTO_PKI: Check for identical certs

Jul 30 14:00:10.013: CRYPTO_PKI: Create a list of suitable trustpoints

Jul 30 14:00:10.013: CRYPTO_PKI: Unable to locate cert record by issuername

Jul 30 14:00:10.013: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain

Jul 30 14:00:10.013: CRYPTO_PKI: No suitable trustpoints found

Jul 30 14:00:10.013: CRYPTO_PKI: Certificate validation failed

Jul 30 14:00:10.013: CRYPTO_PKI: unlocked trustpoint pcserver, refcount is 0

Jul 30 14:03:56.045: crypto_engine: Generate public/private keypair

I'm thinking that's because IOS need to verify server's certificate firstly but fail. how can I setup IOS to not validate server's certificate at this time? or, I missed some other configuration?

Thanks a lot.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smahbub Tue, 08/05/2008 - 14:50
User Badges:
  • Silver, 250 points or more

To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.Router's with Dynamically Addressed Public

Address are not recommended to run Web VPN clients.

hansyin Tue, 08/05/2008 - 14:54
User Badges:

thanks. I'm just using "enrollment url" command. the problem is I hope to use "https url" instead of "http url". if using "https url", I have to tell IOS to accept peer's certificate firstly but I don't know how to do it.


This Discussion