Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
5
Replies

Configuring Auto-enrollment on a router

jorjes1984
Level 1
Level 1

‎02-15-2009 12:03 PM

Hi

I configured A digital Certificate on a router using a CA server for authentication

Here is the policy configuration:

crypto ca trustpoint branch-Cert

enrollment mode ra

enrollment url http://192.168.1.1:80/certsrv/mscep/mscep.dll

usage ike

serial-number

crl optional

So what i need to do now, is to configure Auto-enrollment.

I did my research and found that the only missing command is the auto-enroll [percent] [regenerate]

The issue is when the first time i did the "cr ca enroll ..." i had to enter a password that was generated from the CA server and it worked properly, but was done manually.

but when the certificate expires and the automatic enrollment takes place, will a new password be required?

and if yes, how will it be entered automatically?

REgards,

Labels:
0 Helpful
5 Replies 5

Ivan Martinon
Level 7
Level 7

‎02-16-2009 07:10 AM

Tipically the password that the CA gives to you is dynamically and has a lifetime I believe around 5 minutes, in this case you would need to enter the password manually once the router is about to re enroll itself to the CA. In the case where the CA generates a password which never changes then I believe you have the option on the trustpoint to define the password you would like to use.

0 Helpful

jorjes1984
Level 1
Level 1
In response to Ivan Martinon

‎02-16-2009 10:35 AM

Hi again

The password generated by the CA server is exactly as u said, its lifetime is for 5 minutes.

So how can i make the router to auto-enroll without any manual intervention.

Can we change the settings in the CA server password generation so it would never change?

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to jorjes1984

‎02-16-2009 10:40 AM

That I am not sure..I know you can change it to avoid using password but I am not sure if it will keep the same password over and over... at this point I believe your option are either enter the password every time (not automatic) or disable password on the CA (enrollment automatic)

0 Helpful

jorjes1984
Level 1
Level 1
In response to Ivan Martinon

‎02-17-2009 02:10 PM

Hi

do u know how to disable password on the CA (enrollment automatic)????

REgards

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to jorjes1984

‎02-17-2009 02:20 PM

You need to access your MS CA certificates console via Administrative Tools > CA, in there you need to right click over your CA certificate and select properties from here I am not quite sure where exactly will you go but there is an option for disabling pass phrase. If this is not like that then you need to re install your CA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents