Cisco Support Community
Community Member

Approved certificate retrieving problem in Cisco VPN Client

Approved certificate retrieving problem in Cisco VPN Client (SCEP manual enrollment authentication mode)

Hi All!

I have a problem with manual retrieving signed certificate from IOS CA Server (c3640-ik9o3s-mz.124-25b IOS on Cisco 3640) in online mode using Cisco VPN Client.

I configured Cisco IOS CA server, trustpoints, and so on, and then try to enroll with this server from PC with VPN client installed. In auto mode (when 'grant auto' command is issued on CA server) all is ok - client sends request to the CA server (using Certificates-> Enroll in VPN client), automatically takes CA cert, then server grants client request and sends it back to client. Then I can see 2 certificates - CA and my cert - in corresponding VPN client window (CA store is 'CA' and my cert store is 'Cisco'). All is correct. Then I can use this cert to authenticate myself in ISAKMP/IPSec with no problems.

But, problem begins when I try to switch to manual granting mode ('no grant auto' command in crypto pki server). In this mode, client sends request to CA server, then takes its root CA cert, server receives my request and sends 'SCEP pending reply' to me (OK). Now I can see CA cert and my cert in VPN client window (my cert store is 'Request'). Then I'm manually grant this request on IOS CA server and try to take my granted cert on Cisco VPN Client (using 'Retrieve approved certificate' in 'Certificates' window). Occurs nothing. VPN Client don't retrieve this cert from server, Error 43:'Certificate enrollment failed or was not approved' and log message 'Unable to find the CA certificate corresponding to this request' occurs.

There are 2 strange things in this:

1. Despite the fact that I can see (and verify) CA cert on VPN Client, when I try to retrieve approved cert on this client from IOS CA, 'unable to find the CA certificate corresponding to this request' log message occurs.

2. In fact, VPN Client sends no traffic to IOS CA router (!) when I try to take approved cert.

Have you any assumptions about this problem?



CreatePlease to create content