Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Getting OU info in a router certificate

I'm running an IPSec tunnel between 2 routers. ISAKMP authentication is based upon certs. The certs are created using SCEP to a Microsoft CA server. The tunnel is working fine, except that it get error messages like "%CRYPTO-6-IKMP_UNITY_BUT_NO_OU_IN_CERT: Cert presented by peer 62.154.

251.250 contains no OU field. Unable to obtain group identity.". I've checked an indeed there's no 'Organisation Unit' in the cert present. How do I get the OU or O field information in the cert ?



New Member

Re: Getting OU info in a router certificate

Organisationh Unit field also called "department" field.

When you are installing your Microsoft CA server, you need fill out all the blanks, one of those blanks is "department", you need fill that out as well.

For example "sydneyvpn", then the OU will be "sydneyvpn".

You need to reinstall the Microsoft CA server to re fill out all the blanks.

Otherwise, all the routers and PIX using SCEP to enroll, there is no way to get a OU field. (Because you can not specify the OU during the enrollment.)

For VPN client 3.x and VPN 3000, we can fill out a form to enroll to Microsoft CA server, we can manually put a department or OU name there.

So for VPN client 3.x and VPN 3000, we do not have this problem.

CreatePlease to create content