Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ERROR: receiving Certificate Authority certificate: status = FAIL

Hi all,

we have installed new MS root CA and issuing CA (Windows Server 2008 R2 Enterprise) . When I tried to get CA certificate from some Cisco devices Cisco WS-C3560-24PS it fail.

Debug:

 

QL-SW3(config)#CRYPTO CA authenticate ESSAUDE                   

092306: Mar 27 11:47:38.075 PT: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.0.4.2


092307: Mar 27 11:47:38.075 PT: CRYPTO_PKI: locked trustpoint ESSAUDE, refcount is 1
092308: Mar 27 11:47:38.075 PT: CRYPTO_PKI: can not resolve server name/IP address
092309: Mar 27 11:47:38.075 PT: CRYPTO_PKI: Using unresolved IP Address 10.0.4.2
092310: Mar 27 11:47:38.084 PT: CRYPTO_PKI: http connection opened
092311: Mar 27 11:47:38.084 PT: CRYPTO_PKI: Sending HTTP message

092312: Mar 27 11:47:38.084 PT: CRYPTO_PKI: HTTP header:
 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.0.4.2


092313: Mar 27 11:47:38.084 PT: CRYPTO_PKI: unlocked trustpoint ESSAUDE, refcount is 0
092314: Mar 27 11:47:38.084 PT: CRYPTO_PKI: locked trustpoint ESSAUDE, refcount is 1
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

QL-SW3(config)#
QL-SW3(config)#
QL-SW3(config)#
092315: Mar 27 11:47:53.393 PT: CRYPTO_PKI: unlocked trustpoint ESSAUDE, refcount is 0
092316: Mar 27 11:47:53.393 PT: CRYPTO_PKI: HTTP header:
 HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.5
Date: Thu, 27 Mar 2014 11:47:53 GMT
Connection: close
Content-Length: 1208

Content-Type indicates we did not receive a certificate.

092317: Mar 27 11:47:53.401 PT: CRYPTO_PKI: transaction GetCACert completed
QL-SW3(config)#

 

anybody have idea ?

regards

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

It looks like your CA server

It looks like your CA server is returning a 500 error.

You can verify this by browsing to that same URL (http://10.0.4.2/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE) using a browser. If it's all working, you should be able to download the CA certificate this way (save it to, for example, ca.crt and try opening it).

I'm not certain, because I don't know how your CA is set up, but I think the enrolment URL you have configured in your trustpoint on the switch might be wrong. Does it work on any devices, or is it just these switches having problems?

 

--hugh

1 REPLY
New Member

It looks like your CA server

It looks like your CA server is returning a 500 error.

You can verify this by browsing to that same URL (http://10.0.4.2/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ESSAUDE) using a browser. If it's all working, you should be able to download the CA certificate this way (save it to, for example, ca.crt and try opening it).

I'm not certain, because I don't know how your CA is set up, but I think the enrolment URL you have configured in your trustpoint on the switch might be wrong. Does it work on any devices, or is it just these switches having problems?

 

--hugh

4105
Views
0
Helpful
1
Replies
CreatePlease login to create content