Certificate enrollment / SCEP issue

Unanswered Question
Mar 23rd, 2010
User Badges:


I have the following issue.

I have a site-to-site vpn working right now with pre-shared keys. I want to do it now by using certificates.

I have a Microsoft Windows Server 2008 Enterprise and have the CA already installed and everything configured at the server (I think...)

When I go to the ASA and try to get the certificate from the CA via the SCP and this link: http://x.x.x.x/certsrv/mscep/mscep.dll

I get the following error:

Error in receiving certificate from the Certificate Authority.

I can get to the server fine from the ASA and pings work just fine...

Please help.! thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Tue, 03/23/2010 - 14:55
User Badges:
  • Silver, 250 points or more

You may want to check to see if an enrollment password is required.  The default installation of Server 2008 NDES will default to requiring an OTP for each enrollment request.  The URL to access this interface is usually http://[Server IP]/CertSrv/mscep_admin.  You will then include the SCEP Challenge Password when defining and enrolling the trustpoint.

allan.castro Tue, 03/23/2010 - 14:58
User Badges:

Ok you are right.

I am accesing the ASA via the ASDM. On this host that I am using to connect to the ASDM I opened up a web browser and I am able to go to the link:


and get the:

  • The thumbprint (hash value) for the CA certificate
  • enrollment challenge password

Now that I have this info where do I put this on to?

Todd Pula Wed, 03/24/2010 - 07:13
User Badges:
  • Silver, 250 points or more

In ASDM 6.x, you will enter the challenge password during the initial configuration of the trustpoint.  Go to Configuration->Remote Access VPN->Certificate Management->Identity Certificates.  Click Add to configure a new trustpoint and select the "Add a new identity certificate" option. Under advanced, there will be three tabs.  The "Enrollment Mode" tab is where you enter the SCEP URL and the "SCEP Challenge Password" tab is where you enter the OTP.

allan.castro Thu, 03/25/2010 - 16:32
User Badges:

OK - forget the Windows 2008 server... I am not using that anymore...

I took an IOS router and configured it to be the CA server which works just fine. I was able to get the CA certs and have 2 ASAs enroll with it and was able to get the site to site up and running with certificates!

Now I am trying to do the same thing but via a Remote access VPN.

The problem that I have is that I have no idea how to get the CA certificate from the client PC where the vpn client is installed.. Any ideas?

Here is the config:

ip domain name ccielab.com
crypto pki server cakey
issuer-name CN=caserver.com L=TST C=US
lifetime crl 24
lifetime certificate 200
lifetime ca-certificate 365
crypto pki trustpoint cakey
revocation-check crl
rsakeypair cakey


This Discussion