MS CA Server rejecting my certificates...

HumperHumper Member Posts: 647
Ok so I am on a big learning curve right now trying to get CA setup for use with DMVPN.

I've got my MS server setup. CA, IIS and SCEP is installed and enabled.

Right now I'm just focused on getting on router enrolled with the CA automatically...

I have set the clock time using clock set to match (as close as possible) to the MS CA server. I have generated a 2048 bit RSA key. The domain name has been set.

Here is my config for the HUB:
ip domain name sirhumper.com
ip host jh-l4zf0x7lgjtt.sirhumper.com 172.16.0.25
!
crypto pki trustpoint CA
 enrollment retry period 5
 enrollment mode ra
 enrollment url [url]http://172.16.0.25:80/certsrv/mscep/mscep.dll[/url]
 usage ike
 serial-number
 ip-address 10.1.3.2
 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 subject-name OU=DMVPN O=DM
 revocation-check crl
 rsakeypair CA 2048
 auto-enroll 90 regenerate
!
!
crypto pki certificate chain CA
 certificate ca 4B1156AC210CCDBF4255A92BE8801B11
  3082046C 30820354 A0030201 0202104B 1156AC21 0CCDBF42 55A92BE8 801B1130
!!!! DELETED


Now if I run debug I get alot of stuff that I don't understand..
HUB2#sh crypto pki certificates 
CA Certificate
  Status: Available
  Certificate Serial Number: 0x4B1156AC210CCDBF4255A92BE8801B11
  Certificate Usage: Signature
  Issuer: 
    cn=DMVPN
    dc=sirhumper
    dc=com
  Subject: 
    cn=DMVPN
    dc=sirhumper
    dc=com
  CRL Distribution Points: 
    ldap:///CN=DMVPN,CN=jh-l4zf0x7lgjtt,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sirhumper,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    [url]http://jh-l4zf0x7lgjtt.sirhumper.com/CertEnroll/DMVPN.crl[/url]
  Validity Date: 
    start date: 13:54:42 UTC Mar 8 2008
    end   date: 14:03:04 UTC Mar 8 2009
  Associated Trustpoints: CA 


HUB2#
*Mar  8 15:59:06.807: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Certificate-Signing, CRL-Signing
HUB2#%
% Start certificate enrollment .. 

% The subject name in the certificate will include: OU=DMVPN O=DM
% The subject name in the certificate will include: HUB2.sirhumper.com
% The serial number in the certificate will be: 4294967295
% The IP address in the certificate is 10.1.3.2

% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CA verbose' commandwill show the fingerprint.

*Mar  8 15:59:21.311: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA
*Mar  8 15:59:21.323: CRYPTO_PKI: using private key CA# for enrollment
*Mar  8 15:59:21.323: CRYPTO_PKI: Sending CA Certificate Request: 
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=CA HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 172.16.0.25




*Mar  8 15:59:21.323: CRYPTO_PKI: locked trustpoint CA, refcount is 1
*Mar  8 15:59:21.323: CRYPTO_PKI: can not resolve server name/IP address 
*Mar  8 15:59:21.323: CRYPTO_PKI: Using unresolved IP Address 172.16.0.25
*Mar  8 15:59:21.391: CRYPTO_PKI: http connection opened
*Mar  8 15:59:21.395: CRYPTO_PKI: Sending HTTP message

*Mar  8 15:59:21.395: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 172.16.0.25




*Mar  8 15:59:21.403: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
*Mar  8 15:59:21.403: CRYPTO_PKI: locked trustpoint CA, refcount is 1
*Mar  8 15:59:21.679: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
*Mar  8 15:59:21.679: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK

Connection: close

Date: Sat, 08 Mar 2008 21:00:49 GMT

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Content-Length: 3931

Content-Type: application/x-x509-ca-ra-cert



Content-Type indicates we have received CA and RA certificates.

*Mar  8 15:59:21.679: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=CA)

*Mar  8 15:59:21.711: The PKCS #7 message contains 3 certificates.
*Mar  8 15:59:21.743: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature
*Mar  8 15:59:21.743: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

*Mar  8 15:59:21.759: CRYPTO-PKI: Cert has the following key-usage flags: Key-Encipherment
*Mar  8 15:59:21.759: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

*Mar  8 15:59:21.759: CRYPTO_PKI: Sending Get Capabilities Request: 
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACaps&message=CA HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 172.16.0.25




*Mar  8 15:59:21.759: CRYPTO_PKI: locked trustpoint CA, refcount is 1
*Mar  8 15:59:21.759: CRYPTO_PKI: can not resolve server name/IP address 
*Mar  8 15:59:21.759: CRYPTO_PKI: Using unresolved IP Address 172.16.0.25
*Mar  8 15:59:21.859: CRYPTO_PKI: http connection opened
*Mar  8 15:59:21.863: CRYPTO_PKI: Sending HTTP message

*Mar  8 15:59:21.863: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 172.16.0.25




*Mar  8 15:59:21.871: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
*Mar  8 15:59:21.871: CRYPTO_PKI: locked trustpoint CA, refcount is 1
*Mar  8 15:59:21.975: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
*Mar  8 15:59:21.975: CRYPTO_PKI: status = 0: failed to process the received pki msg
*Mar  8 15:59:21.975: CRYPTO_PKI: transaction PKCSReq completed
*Mar  8 15:59:21.975: CRYPTO_PKI: status: 
*Mar  8 15:59:22.071: CRYPTO_PKI:Write out pkcs#10 content:481 
     30 82 01 DD 30 82 01 46 02 01 00 30 62 31 13 30 
     11 06 03 55 04 0B 13 0A 44 4D 56 50 4E 20 4F 3D 
     44 4D 31 4B 30 11 06 03 55 04 05 13 0A 34 32 39 
!!DELETED

*Mar  8 15:59:22.087: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 2AD3C604 38E34709 1A6646EC 6B1225F5 
*Mar  8 15:59:22.087: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 847875A1 54D73333 BF196FA7 DFB5FE99 CD894CD1 
*Mar  8 15:59:22.119: CRYPTO_PKI:Enveloped Data for trustpoint CA...
*Mar  8 15:59:24.835: The PKCS #7 message has 1 verified signers.
*Mar  8 15:59:24.835: signing cert: issuer=cn=DMVPN,dc=sirhumper,dc=com611D571B000002
*Mar  8 15:59:24.835: Signed Attributes:

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-message-type:   13 01 33                                        

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-status:   13 01 32                                        

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-fail-info:   13 01 32                                        

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-recipient-nonce:   
     04 10 5F B2 F9 ED 8F C1 C3 D8 29 4D F7 31 2B 96 
     EC FA                                           

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-transaction-id:   
     13 20 44 39 31 43 37 44 30 38 41 44 33 30 30 31 
     37 45 30 43 33 43 37 38 39 38 35 33 38 36 38 34 
     37 44                                           

*Mar  8 15:59:24.835: CRYPTO_PKI: status = 101: certificate request is rejected
*Mar  8 15:59:24.835: CRYPTO_PKI: Fail Info=2
*Mar  8 15:59:24.835: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
*Mar  8 15:59:24.839: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
*Mar  8 15:59:24.843: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
*Mar  8 15:59:24.851: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
*Mar  8 15:59:24.851: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.

At the end where it states Certificate enrollment was rejected...I might just open a TAC case..
Now working full time!

Comments

  • HumperHumper Member Posts: 647
    OMG...Microsoft how I love you right now..

    KB Article Here

    http://support.microsoft.com/kb/305196
    This article was previously published under Q305196
    SYMPTOMS
    To establish an L2TP/IPSec tunnel between a Cisco Internetwork operating system router and a Windows 2000 Certificate Authority (CA), a certificate trust must exist between the CA and the router. To enable this trust, the router must request and install an IPSec certificate from the CA. However, when the Cisco IOS-enabled router requests to enroll the IPSec certificate from a Windows 2000 Enterprise CA, the request may not work, and the router may log the following error message in the Cisco log:
    time CRYPTO_PKI: status = 101: certificate request is rejected
    time CRYPTO_PKI: All enrollment requests completed.
    datetime %CRYPTO-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
    Additionally, the Application log on the Windows 2000 server that is hosting the Certificate Authority service may log the following event:
    Event Type: Warning
    Event Source: CertSvc
    Event Category: None
    Event ID: 53
    Date: date
    Time: time
    User: N/A
    Computer: computer name
    Description:

    Certificate Services denied request 72 because Access is denied. 0x80070005 (WIN32: 5).
    The request was for OID.1.2.840.113549.1.9.2=name.com. Additional information: Denied by Policy Module
    If you use the Certutil.exe tool to parse the WIN32 error (by using the certutil -error 0x80070005 command), you may receive the following output:
    0x80070005 (WIN32: 5) -- 2147942405 (-2147024891)
    Error message text: Access id denied.
    Back to the top

    CAUSE
    This issue can occur if the Authenticated Users group had not been granted the Enroll permission to the IPSECIntermediateOffline template.
    Back to the top

    RESOLUTION
    To resolve this issue, grant the Enroll permission to the Authenticated Users group on the IPSECIntermediateOffline template.

    Back to the top

    MORE INFORMATION
    The Cisco Internetwork operating system uses a Cisco Simple Certificate Enrollment Protocol (SCEP) proprietary protocol to communicate with the CA to obtain a certificate. This is the only way to request or install a certificate to a Cisco router. Additionally, only CAs that support the SCEP protocol can be used to enroll the certificate. The Windows 2000 Server Resource Kit includes an add-on component (Cepsetup.exe), that allows Microsoft CAs to use SCEP.

    The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
    Now working full time!
  • HumperHumper Member Posts: 647
    FFS..Just when I thought I was ok...

    %
    % Start certificate enrollment ..
    
    % The subject name in the certificate will include: OU=DMVPN O=DM
    % The subject name in the certificate will include: HUB2.sirhumper.com
    % The serial number in the certificate will be: 4294967295
    % The IP address in the certificate is 10.1.3.2
    
    % Certificate request sent to Certificate Authority
    % The 'show crypto ca certificate CA verbose' commandwill show the fingerprint.
    
    HUB2(config)#
    *Mar  8 16:47:44.355: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 2AD3C604 38E34709 1A6646EC 6B1225F5
    *Mar  8 16:47:44.363: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 847875A1 54D73333 BF196FA7 DFB5FE99 CD894CD1
    *Mar  8 16:47:47.043: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
    
    Now working full time!
  • HumperHumper Member Posts: 647
    I have solved the problem with CISCO TAC.

    When you install the SCEP add-on to the MS CA server it asks you whether or not you want to challenge the requests with a one time password.

    When you enroll the certificate using the "crypto pki authenticate enroll" command, the CA server requests a "one-time" password for verification.

    In order to satisfy the CA server, the administrator must login to the SCEP webpage (located at http://yourserver/certsrv/mscep/mscep.dll). The password is located at that page and is valid for 60mins. You copy and paste this password into the router console and once the password is verified, the CA server will accept the request and return the certificate.

    Again the one time password is for security purposes. The only way you can retrieve a certificate is if you have the correct password.



    Just an FYI --- Remove the password command above in my configuration otherwise it will reject the certificate.
    Now working full time!
  • redwarriorredwarrior Member Posts: 285
    Very cool to see a real-life example of this! Thank you for sharing. :D

    I'm getting ready to work on the security elective for my MCSE+S, which is mostly certificates and pki, so I'm thinking that setting something similar to this up might be a good exercise both for honing my skills on the Cisco-side as well as MS. Did you use an ASA for this?

    Thanks again!

    CCNP Progress

    ONT, ISCW, BCMSN - DONE

    BSCI - In Progress

    http://www.redwarriornet.com/ <--My Cisco Blog
  • johnjineshjohnjinesh Registered Users Posts: 1 ■□□□□□□□□□
    Thanks dear.. it was a great helpful for me.. I was searching for this solution and u resolved in a single sentence...

    Appriciate dear...
Sign In or Register to comment.