Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14844
Views
0
Helpful
1
Replies

ERROR: receiving Certificate Authority certificate: status = FAIL

Go to solution
Tiago Marques
Level 1
Level 1

‎03-27-2014 05:01 AM - edited ‎02-21-2020 05:08 AM

Hi all,

we have installed new MS root CA and issuing CA (Windows Server 2008 R2 Enterprise) . When I tried to get CA certificate from some Cisco devices Cisco WS-C3560-24PS it fail.

Debug:

 

QL-SW3(config)#CRYPTO CA authenticate ESSAUDE                   

092306: Mar 27 11:47:38.075 PT: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.0.4.2


092307: Mar 27 11:47:38.075 PT: CRYPTO_PKI: locked trustpoint ESSAUDE, refcount is 1
092308: Mar 27 11:47:38.075 PT: CRYPTO_PKI: can not resolve server name/IP address
092309: Mar 27 11:47:38.075 PT: CRYPTO_PKI: Using unresolved IP Address 10.0.4.2
092310: Mar 27 11:47:38.084 PT: CRYPTO_PKI: http connection opened
092311: Mar 27 11:47:38.084 PT: CRYPTO_PKI: Sending HTTP message

092312: Mar 27 11:47:38.084 PT: CRYPTO_PKI: HTTP header:
 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.0.4.2


092313: Mar 27 11:47:38.084 PT: CRYPTO_PKI: unlocked trustpoint ESSAUDE, refcount is 0
092314: Mar 27 11:47:38.084 PT: CRYPTO_PKI: locked trustpoint ESSAUDE, refcount is 1
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

QL-SW3(config)#
QL-SW3(config)#
QL-SW3(config)#
092315: Mar 27 11:47:53.393 PT: CRYPTO_PKI: unlocked trustpoint ESSAUDE, refcount is 0
092316: Mar 27 11:47:53.393 PT: CRYPTO_PKI: HTTP header:
 HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.5
Date: Thu, 27 Mar 2014 11:47:53 GMT
Connection: close
Content-Length: 1208

Content-Type indicates we did not receive a certificate.

092317: Mar 27 11:47:53.401 PT: CRYPTO_PKI: transaction GetCACert completed
QL-SW3(config)#

 

anybody have idea ?

regards

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mclarenh
Level 1
Level 1

‎04-04-2014 12:52 PM

It looks like your CA server is returning a 500 error.

You can verify this by browsing to that same URL (http://10.0.4.2/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE) using a browser. If it's all working, you should be able to download the CA certificate this way (save it to, for example, ca.crt and try opening it).

I'm not certain, because I don't know how your CA is set up, but I think the enrolment URL you have configured in your trustpoint on the switch might be wrong. Does it work on any devices, or is it just these switches having problems?

 

--hugh

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mclarenh
Level 1
Level 1

‎04-04-2014 12:52 PM

It looks like your CA server is returning a 500 error.

You can verify this by browsing to that same URL (http://10.0.4.2/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE) using a browser. If it's all working, you should be able to download the CA certificate this way (save it to, for example, ca.crt and try opening it).

I'm not certain, because I don't know how your CA is set up, but I think the enrolment URL you have configured in your trustpoint on the switch might be wrong. Does it work on any devices, or is it just these switches having problems?

 

--hugh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card