Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Please help with PKI certificate enrollment with Netconfig job on LMS

Hello folks,

We need to automate the process of enrollment into a CA and getting a certificate on about a hundred routers and of course thinking about using a Netconfig job on LMS. As you may know there are two steps in this process, first - authentication to CA and second - enrollment

The first part works OK, namely, the script in the job has two lines and they nicely work:

crypto pki authentication IOS-CA


But when we need to send the enrollment command this is where the job fails. I believe the problem is the password challenge

Here's how the authentication and enrollment processes are sent from CLI

Store999_LAB(config)#crypto pki authen IOS-CA

Certificate has the following attributes:

Fingerprint MD5: E7AE873E 55F45430 DD87677F A37DA62E

Fingerprint SHA1: 4CF8B18B 4AF57D97 8E6B7FAA 9F72AEFA 5F18EE10

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

Store999_LAB(config)#crypto pki enroll IOS-CA

% % Start certificate enrollment ..  %

Create a challenge password. You will need to verbally provide this    password to the CA Administrator in order to revoke your certificate.    For security reasons your password will not be saved in the configuration.    Please make a note of it.


Re-enter password:

% The subject name in the certificate will include: CN=Store999_LAB,ou=Stores,o=Keg

% The subject name in the certificate will include:

% Include an IP address in the subject name? [no]: no

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto pki certificate verbose IOS-CA' command will show the fingerprint.

So I'd say the job fails on the password step. Any idea how to properly script it ?

Cisco Employee

Re: Please help with PKI certificate enrollment with Netconfig j

What you are asking is possible. For those commands which needs input in IOS, NetConfig has Interactive commands.

An interactive command is the input you will have to enter, following the execution of a command.

For example, on a Catalyst device, a clear counters command on a cat 5000 device will give the following output:

c5000# (enable) clear counters.

This command will reset all MAC and port counters reported in CLI and SNMP. Do you want to continue (y/n) [n]?

In LMS, such commands can be included in config jobs executed via NetConfig

For this it will be configured as :

clear counters Y

tag is case-sensitive and this must be entered in uppercase only.

You can have multiple inputs. Syntax of Interactive Netconfig Job is :

CLI Commandcommand response 1 command response 2

For more details check document here :



"Encourage contributors. RATE responses"

-Thanks Vinod **Rating Encourages contributors, and its really free. **
New Member

Re: Please help with PKI certificate enrollment with Netconfig j

Hello Vinod,

Appreciate your time and input. You are giving me classical examples from Cisco documentation and I have to say that I already studied them as a reference. None of them show an example how to script responses for password challenges though and this is the part that doesn't work. All responses for interactive commands requiring answers "y" or "n" work perfectly to me. This is what I tried to send in the script:

crypto pki enrol IOS-CA123456123456

Below are the printscreens from RME job details, they clearly show that the authentication part with an interactive command works as a charm, even though it fails on password section where the router believes that password was "null"

crypto pki authentication - success.JPG   

crypto pki authentication - success 2.JPG

crypto pki enroll - failure.JPG

crypto pki enroll - failure 2.JPG