Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate enrollment / SCEP issue


I have the following issue.

I have a site-to-site vpn working right now with pre-shared keys. I want to do it now by using certificates.

I have a Microsoft Windows Server 2008 Enterprise and have the CA already installed and everything configured at the server (I think...)

When I go to the ASA and try to get the certificate from the CA via the SCP and this link: http://x.x.x.x/certsrv/mscep/mscep.dll

I get the following error:

Error in receiving certificate from the Certificate Authority.

I can get to the server fine from the ASA and pings work just fine...

Please help.! thanks!


Re: Certificate enrollment / SCEP issue

You may want to check to see if an enrollment password is required.  The default installation of Server 2008 NDES will default to requiring an OTP for each enrollment request.  The URL to access this interface is usually http://[Server IP]/CertSrv/mscep_admin.  You will then include the SCEP Challenge Password when defining and enrolling the trustpoint.

New Member

Re: Certificate enrollment / SCEP issue

Ok you are right.

I am accesing the ASA via the ASDM. On this host that I am using to connect to the ASDM I opened up a web browser and I am able to go to the link:


and get the:

  • The thumbprint (hash value) for the CA certificate
  • enrollment challenge password

Now that I have this info where do I put this on to?

Re: Certificate enrollment / SCEP issue

In ASDM 6.x, you will enter the challenge password during the initial configuration of the trustpoint.  Go to Configuration->Remote Access VPN->Certificate Management->Identity Certificates.  Click Add to configure a new trustpoint and select the "Add a new identity certificate" option. Under advanced, there will be three tabs.  The "Enrollment Mode" tab is where you enter the SCEP URL and the "SCEP Challenge Password" tab is where you enter the OTP.

New Member

Re: Certificate enrollment / SCEP issue

OK - forget the Windows 2008 server... I am not using that anymore...

I took an IOS router and configured it to be the CA server which works just fine. I was able to get the CA certs and have 2 ASAs enroll with it and was able to get the site to site up and running with certificates!

Now I am trying to do the same thing but via a Remote access VPN.

The problem that I have is that I have no idea how to get the CA certificate from the client PC where the vpn client is installed.. Any ideas?

Here is the config:

ip domain name
crypto pki server cakey
issuer-name L=TST C=US
lifetime crl 24
lifetime certificate 200
lifetime ca-certificate 365
crypto pki trustpoint cakey
revocation-check crl
rsakeypair cakey

New Member

Re: Certificate enrollment / SCEP issue

Hello.. any ideas someone ?

CreatePlease login to create content