Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4801
Views
0
Helpful
5
Replies

Certificate enrollment / SCEP issue

allanc16
Level 1
Level 1

‎03-23-2010 02:37 PM

Hello,

I have the following issue.

I have a site-to-site vpn working right now with pre-shared keys. I want to do it now by using certificates.

I have a Microsoft Windows Server 2008 Enterprise and have the CA already installed and everything configured at the server (I think...)

When I go to the ASA and try to get the certificate from the CA via the SCP and this link: http://x.x.x.x/certsrv/mscep/mscep.dll

I get the following error:

Error in receiving certificate from the Certificate Authority.

I can get to the server fine from the ASA and pings work just fine...

Please help.! thanks!

Labels:
0 Helpful
5 Replies 5

Todd Pula
Level 7
Level 7

‎03-23-2010 02:55 PM

You may want to check to see if an enrollment password is required.  The default installation of Server 2008 NDES will default to requiring an OTP for each enrollment request.  The URL to access this interface is usually http://[Server IP]/CertSrv/mscep_admin.  You will then include the SCEP Challenge Password when defining and enrolling the trustpoint.

0 Helpful

allanc16
Level 1
Level 1
In response to Todd Pula

‎03-23-2010 02:58 PM

Ok you are right.

I am accesing the ASA via the ASDM. On this host that I am using to connect to the ASDM I opened up a web browser and I am able to go to the link:

http://ccie-dc/CertSrv/mscep_admin

and get the:

  • The thumbprint (hash value) for the CA certificate
  • enrollment challenge password

Now that I have this info where do I put this on to?

0 Helpful

Todd Pula
Level 7
Level 7
In response to allanc16

‎03-24-2010 07:13 AM

In ASDM 6.x, you will enter the challenge password during the initial configuration of the trustpoint.  Go to Configuration->Remote Access VPN->Certificate Management->Identity Certificates.  Click Add to configure a new trustpoint and select the "Add a new identity certificate" option. Under advanced, there will be three tabs.  The "Enrollment Mode" tab is where you enter the SCEP URL and the "SCEP Challenge Password" tab is where you enter the OTP.

0 Helpful

allanc16
Level 1
Level 1
In response to Todd Pula

‎03-25-2010 04:32 PM

OK - forget the Windows 2008 server... I am not using that anymore...

I took an IOS router and configured it to be the CA server which works just fine. I was able to get the CA certs and have 2 ASAs enroll with it and was able to get the site to site up and running with certificates!

Now I am trying to do the same thing but via a Remote access VPN.

The problem that I have is that I have no idea how to get the CA certificate from the client PC where the vpn client is installed.. Any ideas?

Here is the config:

ip domain name ccielab.com
!
crypto pki server cakey
issuer-name CN=caserver.com L=TST C=US
lifetime crl 24
lifetime certificate 200
lifetime ca-certificate 365
cdp-url http://51.88.99.100/cisco1cdp.cisco1.crl
!
crypto pki trustpoint cakey
revocation-check crl
rsakeypair cakey

0 Helpful

allanc16
Level 1
Level 1
In response to allanc16

‎03-26-2010 10:14 AM

Hello.. any ideas someone ?

0 Helpful
Customers Also Viewed These Support Documents