Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
5
Replies

Secure SRST TLS Socket error

thisisshanky
Level 11
Level 11

‎09-12-2006 09:40 AM - edited ‎03-13-2019 02:57 PM

i have setup Secure SRST in a 2821 router. All configs look good so far. Except, when I update the SRST reference to Secure SRST, CM tries to update the certificate, I get an error in CM saying, TLS Socket error while trying to retrieve the certifate.

Debug credentials on the router shows the following.

CRYPTO_PKI: Can not select private key (BR1.)

Sep 12 17:29:30.843: CRYPTO_OPSSL: Can't find router private key

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
Labels:
0 Helpful
5 Replies 5

thisisshanky
Level 11
Level 11

‎09-12-2006 03:01 PM

Duh!

I need a stick to beat myself!

I created the CA server and setup the router as a trustpoint. Even authenticated the trustpoint to the CA server. But forgot to enroll the router to the CA server in order to get the certificate. Did that and Callmanager is able to download the certificate now.

R.T.F.M twice

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

markus.thelen
Level 1
Level 1
In response to thisisshanky

‎01-09-2007 10:05 AM

Hey Sankar,

maybe you can give me a little help. I try to configure secure SRST, but can?t find any IOS for 2811 capable for that feature. I tried "advanced enterprise services 12.4.11T - it is also missing the "credentials" command in global config...

Is there something very basic I?m doing wrong?

Thank you in advance.

Kind Regards,

Markus

0 Helpful

thisisshanky
Level 11
Level 11
In response to markus.thelen

‎01-09-2007 01:27 PM

Markus,

Did you already setup the Pki server, enroll the router to the Pki server ?

http://www.cisco.com/univercd/cc/td/doc/product/voice/srst/srst40/srst40ad/sr_scur1.htm

sankar.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

markus.thelen
Level 1
Level 1
In response to thisisshanky

‎01-10-2007 12:12 AM

Yes, I had set up the CA-Server in IOS and also enrolled the router itself to that CA. The problem was, I had no credentials-server, so CCM could not connect to port 2445 and catch the certificate. Wrong IOS! (If you don?t need that stick for you any longer, maybe you can send it over to me...)

I now found an IOS with that feature in it. But still the phones say TLS error when trying to register at secure SRST. How can I find out, what type of phone needs what .0-file from CCM. I pasted three of them to trustpoints. Do I need them all?

Kind Regards and thank you for your help so far!

Markus

0 Helpful

markus.thelen
Level 1
Level 1
In response to markus.thelen

‎01-10-2007 12:48 AM

Okay, it?s working now.

I see, I do not need all of them - just the right ones ;-)

Markus

0 Helpful
Customers Also Viewed These Support Documents