+ Reply to Thread
Results 1 to 6 of 6
  1. Senior Member
    Join Date
    Feb 2006
    Location
    Canada
    Posts
    656

    Certifications
    BSCI,BCMSN,CCNA
    #1

    Default MS CA Server rejecting my certificates...

    Ok so I am on a big learning curve right now trying to get CA setup for use with DMVPN.

    I've got my MS server setup. CA, IIS and SCEP is installed and enabled.

    Right now I'm just focused on getting on router enrolled with the CA automatically...

    I have set the clock time using clock set to match (as close as possible) to the MS CA server. I have generated a 2048 bit RSA key. The domain name has been set.

    Here is my config for the HUB:

    Code:
    ip domain name sirhumper.com
    ip host jh-l4zf0x7lgjtt.sirhumper.com 172.16.0.25
    !
    crypto pki trustpoint CA
     enrollment retry period 5
     enrollment mode ra
     enrollment url http://172.16.0.25:80/certsrv/mscep/mscep.dll
     usage ike
     serial-number
     ip-address 10.1.3.2
     password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
     subject-name OU=DMVPN O=DM
     revocation-check crl
     rsakeypair CA 2048
     auto-enroll 90 regenerate
    !
    !
    crypto pki certificate chain CA
     certificate ca 4B1156AC210CCDBF4255A92BE8801B11
      3082046C 30820354 A0030201 0202104B 1156AC21 0CCDBF42 55A92BE8 801B1130
    !!!! DELETED
    Now if I run debug I get alot of stuff that I don't understand..

    Code:
    HUB2#sh crypto pki certificates 
    CA Certificate
      Status: Available
      Certificate Serial Number: 0x4B1156AC210CCDBF4255A92BE8801B11
      Certificate Usage: Signature
      Issuer: 
        cn=DMVPN
        dc=sirhumper
        dc=com
      Subject: 
        cn=DMVPN
        dc=sirhumper
        dc=com
      CRL Distribution Points: 
        ldap:///CN=DMVPN,CN=jh-l4zf0x7lgjtt,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sirhumper,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
        http://jh-l4zf0x7lgjtt.sirhumper.com...roll/DMVPN.crl
      Validity Date: 
        start date: 13:54:42 UTC Mar 8 2008
        end   date: 14:03:04 UTC Mar 8 2009
      Associated Trustpoints: CA 
    
    
    HUB2#
    *Mar  8 15:59:06.807: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Certificate-Signing, CRL-Signing
    HUB2#%
    % Start certificate enrollment .. 
    
    % The subject name in the certificate will include: OU=DMVPN O=DM
    % The subject name in the certificate will include: HUB2.sirhumper.com
    % The serial number in the certificate will be: 4294967295
    % The IP address in the certificate is 10.1.3.2
    
    % Certificate request sent to Certificate Authority
    % The 'show crypto ca certificate CA verbose' commandwill show the fingerprint.
    
    *Mar  8 15:59:21.311: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA
    *Mar  8 15:59:21.323: CRYPTO_PKI: using private key CA# for enrollment
    *Mar  8 15:59:21.323: CRYPTO_PKI: Sending CA Certificate Request: 
    GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=CA HTTP/1.0
    
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
    
    Host: 172.16.0.25
    
    
    
    
    *Mar  8 15:59:21.323: CRYPTO_PKI: locked trustpoint CA, refcount is 1
    *Mar  8 15:59:21.323: CRYPTO_PKI: can not resolve server name/IP address 
    *Mar  8 15:59:21.323: CRYPTO_PKI: Using unresolved IP Address 172.16.0.25
    *Mar  8 15:59:21.391: CRYPTO_PKI: http connection opened
    *Mar  8 15:59:21.395: CRYPTO_PKI: Sending HTTP message
    
    *Mar  8 15:59:21.395: CRYPTO_PKI: Reply HTTP header:
    HTTP/1.0
    
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
    
    Host: 172.16.0.25
    
    
    
    
    *Mar  8 15:59:21.403: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
    *Mar  8 15:59:21.403: CRYPTO_PKI: locked trustpoint CA, refcount is 1
    *Mar  8 15:59:21.679: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
    *Mar  8 15:59:21.679: CRYPTO_PKI: Reply HTTP header:
    HTTP/1.1 200 OK
    
    Connection: close
    
    Date: Sat, 08 Mar 2008 21:00:49 GMT
    
    Server: Microsoft-IIS/6.0
    
    MicrosoftOfficeWebServer: 5.0_Pub
    
    X-Powered-By: ASP.NET
    
    Content-Length: 3931
    
    Content-Type: application/x-x509-ca-ra-cert
    
    
    
    Content-Type indicates we have received CA and RA certificates.
    
    *Mar  8 15:59:21.679: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=CA)
    
    *Mar  8 15:59:21.711: The PKCS #7 message contains 3 certificates.
    *Mar  8 15:59:21.743: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature
    *Mar  8 15:59:21.743: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs
    
    *Mar  8 15:59:21.759: CRYPTO-PKI: Cert has the following key-usage flags: Key-Encipherment
    *Mar  8 15:59:21.759: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs
    
    *Mar  8 15:59:21.759: CRYPTO_PKI: Sending Get Capabilities Request: 
    GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACaps&message=CA HTTP/1.0
    
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
    
    Host: 172.16.0.25
    
    
    
    
    *Mar  8 15:59:21.759: CRYPTO_PKI: locked trustpoint CA, refcount is 1
    *Mar  8 15:59:21.759: CRYPTO_PKI: can not resolve server name/IP address 
    *Mar  8 15:59:21.759: CRYPTO_PKI: Using unresolved IP Address 172.16.0.25
    *Mar  8 15:59:21.859: CRYPTO_PKI: http connection opened
    *Mar  8 15:59:21.863: CRYPTO_PKI: Sending HTTP message
    
    *Mar  8 15:59:21.863: CRYPTO_PKI: Reply HTTP header:
    HTTP/1.0
    
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
    
    Host: 172.16.0.25
    
    
    
    
    *Mar  8 15:59:21.871: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
    *Mar  8 15:59:21.871: CRYPTO_PKI: locked trustpoint CA, refcount is 1
    *Mar  8 15:59:21.975: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
    *Mar  8 15:59:21.975: CRYPTO_PKI: status = 0: failed to process the received pki msg
    *Mar  8 15:59:21.975: CRYPTO_PKI: transaction PKCSReq completed
    *Mar  8 15:59:21.975: CRYPTO_PKI: status: 
    *Mar  8 15:59:22.071: CRYPTO_PKI:Write out pkcs#10 content:481 
         30 82 01 DD 30 82 01 46 02 01 00 30 62 31 13 30 
         11 06 03 55 04 0B 13 0A 44 4D 56 50 4E 20 4F 3D 
         44 4D 31 4B 30 11 06 03 55 04 05 13 0A 34 32 39 
    !!DELETED
    
    *Mar  8 15:59:22.087: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 2AD3C604 38E34709 1A6646EC 6B1225F5 
    *Mar  8 15:59:22.087: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 847875A1 54D73333 BF196FA7 DFB5FE99 CD894CD1 
    *Mar  8 15:59:22.119: CRYPTO_PKI:Enveloped Data for trustpoint CA...
    *Mar  8 15:59:24.835: The PKCS #7 message has 1 verified signers.
    *Mar  8 15:59:24.835: signing cert: issuer=cn=DMVPN,dc=sirhumper,dc=com611D571B000002
    *Mar  8 15:59:24.835: Signed Attributes:
    
    *Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-message-type:   13 01 33                                        
    
    *Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-status:   13 01 32                                        
    
    *Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-fail-info:   13 01 32                                        
    
    *Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-recipient-nonce:   
         04 10 5F B2 F9 ED 8F C1 C3 D8 29 4D F7 31 2B 96 
         EC FA                                           
    
    *Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-transaction-id:   
         13 20 44 39 31 43 37 44 30 38 41 44 33 30 30 31 
         37 45 30 43 33 43 37 38 39 38 35 33 38 36 38 34 
         37 44                                           
    
    *Mar  8 15:59:24.835: CRYPTO_PKI: status = 101: certificate request is rejected
    *Mar  8 15:59:24.835: CRYPTO_PKI: Fail Info=2
    *Mar  8 15:59:24.835: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
    *Mar  8 15:59:24.839: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
    *Mar  8 15:59:24.843: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
    *Mar  8 15:59:24.851: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
    *Mar  8 15:59:24.851: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
    At the end where it states Certificate enrollment was rejected...I might just open a TAC case..
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Feb 2006
    Location
    Canada
    Posts
    656

    Certifications
    BSCI,BCMSN,CCNA
    #2
    OMG...Microsoft how I love you right now..

    KB Article Here

    http://support.microsoft.com/kb/305196

    This article was previously published under Q305196
    SYMPTOMS
    To establish an L2TP/IPSec tunnel between a Cisco Internetwork operating system router and a Windows 2000 Certificate Authority (CA), a certificate trust must exist between the CA and the router. To enable this trust, the router must request and install an IPSec certificate from the CA. However, when the Cisco IOS-enabled router requests to enroll the IPSec certificate from a Windows 2000 Enterprise CA, the request may not work, and the router may log the following error message in the Cisco log:
    time CRYPTO_PKI: status = 101: certificate request is rejected
    time CRYPTO_PKI: All enrollment requests completed.
    datetime %CRYPTO-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
    Additionally, the Application log on the Windows 2000 server that is hosting the Certificate Authority service may log the following event:
    Event Type: Warning
    Event Source: CertSvc
    Event Category: None
    Event ID: 53
    Date: date
    Time: time
    User: N/A
    Computer: computer name
    Description:

    Certificate Services denied request 72 because Access is denied. 0x80070005 (WIN32: 5).
    The request was for OID.1.2.840.113549.1.9.2=name.com. Additional information: Denied by Policy Module
    If you use the Certutil.exe tool to parse the WIN32 error (by using the certutil -error 0x80070005 command), you may receive the following output:
    0x80070005 (WIN32: 5) -- 2147942405 (-2147024891)
    Error message text: Access id denied.
    Back to the top

    CAUSE
    This issue can occur if the Authenticated Users group had not been granted the Enroll permission to the IPSECIntermediateOffline template.
    Back to the top

    RESOLUTION
    To resolve this issue, grant the Enroll permission to the Authenticated Users group on the IPSECIntermediateOffline template.

    Back to the top

    MORE INFORMATION
    The Cisco Internetwork operating system uses a Cisco Simple Certificate Enrollment Protocol (SCEP) proprietary protocol to communicate with the CA to obtain a certificate. This is the only way to request or install a certificate to a Cisco router. Additionally, only CAs that support the SCEP protocol can be used to enroll the certificate. The Windows 2000 Server Resource Kit includes an add-on component (Cepsetup.exe), that allows Microsoft CAs to use SCEP.

    The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Feb 2006
    Location
    Canada
    Posts
    656

    Certifications
    BSCI,BCMSN,CCNA
    #3
    FFS..Just when I thought I was ok...


    Code:
    %
    % Start certificate enrollment ..
    
    % The subject name in the certificate will include: OU=DMVPN O=DM
    % The subject name in the certificate will include: HUB2.sirhumper.com
    % The serial number in the certificate will be: 4294967295
    % The IP address in the certificate is 10.1.3.2
    
    % Certificate request sent to Certificate Authority
    % The 'show crypto ca certificate CA verbose' commandwill show the fingerprint.
    
    HUB2(config)#
    *Mar  8 16:47:44.355: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 2AD3C604 38E34709 1A6646EC 6B1225F5
    *Mar  8 16:47:44.363: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 847875A1 54D73333 BF196FA7 DFB5FE99 CD894CD1
    *Mar  8 16:47:47.043: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Feb 2006
    Location
    Canada
    Posts
    656

    Certifications
    BSCI,BCMSN,CCNA
    #4
    I have solved the problem with CISCO TAC.

    When you install the SCEP add-on to the MS CA server it asks you whether or not you want to challenge the requests with a one time password.

    When you enroll the certificate using the "crypto pki authenticate enroll" command, the CA server requests a "one-time" password for verification.

    In order to satisfy the CA server, the administrator must login to the SCEP webpage (located at http://yourserver/certsrv/mscep/mscep.dll). The password is located at that page and is valid for 60mins. You copy and paste this password into the router console and once the password is verified, the CA server will accept the request and return the certificate.

    Again the one time password is for security purposes. The only way you can retrieve a certificate is if you have the correct password.



    Just an FYI --- Remove the password command above in my configuration otherwise it will reject the certificate.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2008
    Location
    Jacksonville, Florida
    Posts
    284

    Certifications
    CCNA, Network+, various Microsoft. ONT and ISCW down, 2 more to go!!!
    #5
    Very cool to see a real-life example of this! Thank you for sharing.

    I'm getting ready to work on the security elective for my MCSE+S, which is mostly certificates and pki, so I'm thinking that setting something similar to this up might be a good exercise both for honing my skills on the Cisco-side as well as MS. Did you use an ASA for this?

    Thanks again!
    Reply With Quote Quote  

  7. Junior Member Registered Member
    Join Date
    Nov 2010
    Posts
    1
    #6

    Default Thanks dear...

    Thanks dear.. it was a great helpful for me.. I was searching for this solution and u resolved in a single sentence...

    Appriciate dear...
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks