Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client and RA Enroll fails

Hi, I'm wondering about the requirements for RA certificates to enroll with a Cisco VPN Client.

I'm using Cisco VPN Client 5.0 on windows XP towars an EJBCA CA.

The CA is set up with a simple Root CA for SCEP.

If I enroll directly with the CA all works fine.

I have set up an RA, where the RA certificate is signed directly by the CA. My RA certificate has keyUsage digitalSignature and keyEncipherment and basicContraints=false.

When I try to enroll with the RA I get this message:


41 11:29:28.890 02/08/08 Sev=Info/4 CERT/0x63600022

Setting key size of 2048 for pkcs10 request.

42 11:29:29.375 02/08/08 Sev=Warning/2 CERT/0xE3600016

Failure on: Locating RA Encryption Certificate.


The RA sends the RA and CA certificate to the VPN client with mime-type application/x-x509-ca-ra-cert. The VPN client even stores the certificates, and says both the RA and the CA cert is valid.

Why will the VPN client no accept the RA certificate as an RA encryption certificate?




Re: VPN Client and RA Enroll fails

Make sure the domian name matches. FQDN and hostname are the primary isakmp ID methods with Cisco products. Refer for more information.

New Member

Re: VPN Client and RA Enroll fails

Sorry but that does not work. I tried adding setting both common namd and DNS altName to, and enrolling with a URL with this hostname to my RA. The VPN client still will not accept the RAs certificate as an RA encryption certificate.