I have been trying in vein to assign a certificate that I got from my Windows based PKI to be used by the HTTPS server built into IOS routers. I'm doing this because I'm tired of the self signed certificates that are currently there and since I have a PKI already, I might as well use it (self signed certificates are also giving me grief with my MARS box, but that isn't directly related to this).
So, I followed Cisco's doc for configuring IOS to request a certificate from a certificate server using SCEP. Everything goes as expected and I get a certificate on the device. If I leave the self-signed certificate, HTTPS uses it and it works. If I remove the self-signed certificate I can't get into the router using HTTPS. If I blow away the certificate and create a new self-signed certificate, HTTPS works fine.
To do this, I first remove any certificates and keys that are currently in the config using "no crypto pki trustpoint <self-signed definition>" and "crypto key zeroize rsa". Once I finish that I enter in the following:
crypto pki trustpoint certtest
enrollment url http://caserver.ca/certsrv/mscep/mscep.dll
auto-enroll 90 regenerate
password <one time password retrieved earlier from CA server>
crypto pki authenticate certtest
Once I do all this, I accept the CA certificate and a certificate automatically shows up in the router. At this point, SSH works and I think I'm good. Unfortuantely HTTPS doesn't work. I've tried using "ip http secure-trustpoint certtest", but it doesn't make a difference.
I'm not sure what else to try. It almost seems that the certificates are not right, but from what I've been able to gather from various "sho crypto pki" and "sho crypto key" commands, the certificates have the appropriate settings. Sure hope that someone else has run into this before...