MS CA Server rejecting my certificates...

Humper

Ok so I am on a big learning curve right now trying to get CA setup for use with DMVPN.

I've got my MS server setup. CA, IIS and SCEP is installed and enabled.

Right now I'm just focused on getting on router enrolled with the CA automatically...

I have set the clock time using clock set to match (as close as possible) to the MS CA server. I have generated a 2048 bit RSA key. The domain name has been set.

Here is my config for the HUB:

ip domain name sirhumper.com
ip host jh-l4zf0x7lgjtt.sirhumper.com 172.16.0.25
!
crypto pki trustpoint CA
 enrollment retry period 5
 enrollment mode ra
 enrollment url [url]http://172.16.0.25:80/certsrv/mscep/mscep.dll[/url]
 usage ike
 serial-number
 ip-address 10.1.3.2
 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 subject-name OU=DMVPN O=DM
 revocation-check crl
 rsakeypair CA 2048
 auto-enroll 90 regenerate
!
!
crypto pki certificate chain CA
 certificate ca 4B1156AC210CCDBF4255A92BE8801B11
  3082046C 30820354 A0030201 0202104B 1156AC21 0CCDBF42 55A92BE8 801B1130
!!!! DELETED

Now if I run debug I get alot of stuff that I don't understand..

HUB2#sh crypto pki certificates 
CA Certificate
  Status: Available
  Certificate Serial Number: 0x4B1156AC210CCDBF4255A92BE8801B11
  Certificate Usage: Signature
  Issuer: 
    cn=DMVPN
    dc=sirhumper
    dc=com
  Subject: 
    cn=DMVPN
    dc=sirhumper
    dc=com
  CRL Distribution Points: 
    ldap:///CN=DMVPN,CN=jh-l4zf0x7lgjtt,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sirhumper,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    [url]http://jh-l4zf0x7lgjtt.sirhumper.com/CertEnroll/DMVPN.crl[/url]
  Validity Date: 
    start date: 13:54:42 UTC Mar 8 2008
    end   date: 14:03:04 UTC Mar 8 2009
  Associated Trustpoints: CA 


HUB2#
*Mar  8 15:59:06.807: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Certificate-Signing, CRL-Signing
HUB2#%
% Start certificate enrollment .. 

% The subject name in the certificate will include: OU=DMVPN O=DM
% The subject name in the certificate will include: HUB2.sirhumper.com
% The serial number in the certificate will be: 4294967295
% The IP address in the certificate is 10.1.3.2

% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CA verbose' commandwill show the fingerprint.

*Mar  8 15:59:21.311: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA
*Mar  8 15:59:21.323: CRYPTO_PKI: using private key CA# for enrollment
*Mar  8 15:59:21.323: CRYPTO_PKI: Sending CA Certificate Request: 
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=CA HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 172.16.0.25




*Mar  8 15:59:21.323: CRYPTO_PKI: locked trustpoint CA, refcount is 1
*Mar  8 15:59:21.323: CRYPTO_PKI: can not resolve server name/IP address 
*Mar  8 15:59:21.323: CRYPTO_PKI: Using unresolved IP Address 172.16.0.25
*Mar  8 15:59:21.391: CRYPTO_PKI: http connection opened
*Mar  8 15:59:21.395: CRYPTO_PKI: Sending HTTP message

*Mar  8 15:59:21.395: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 172.16.0.25




*Mar  8 15:59:21.403: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
*Mar  8 15:59:21.403: CRYPTO_PKI: locked trustpoint CA, refcount is 1
*Mar  8 15:59:21.679: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
*Mar  8 15:59:21.679: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK

Connection: close

Date: Sat, 08 Mar 2008 21:00:49 GMT

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Content-Length: 3931

Content-Type: application/x-x509-ca-ra-cert



Content-Type indicates we have received CA and RA certificates.

*Mar  8 15:59:21.679: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=CA)

*Mar  8 15:59:21.711: The PKCS #7 message contains 3 certificates.
*Mar  8 15:59:21.743: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature
*Mar  8 15:59:21.743: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

*Mar  8 15:59:21.759: CRYPTO-PKI: Cert has the following key-usage flags: Key-Encipherment
*Mar  8 15:59:21.759: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

*Mar  8 15:59:21.759: CRYPTO_PKI: Sending Get Capabilities Request: 
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACaps&message=CA HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 172.16.0.25




*Mar  8 15:59:21.759: CRYPTO_PKI: locked trustpoint CA, refcount is 1
*Mar  8 15:59:21.759: CRYPTO_PKI: can not resolve server name/IP address 
*Mar  8 15:59:21.759: CRYPTO_PKI: Using unresolved IP Address 172.16.0.25
*Mar  8 15:59:21.859: CRYPTO_PKI: http connection opened
*Mar  8 15:59:21.863: CRYPTO_PKI: Sending HTTP message

*Mar  8 15:59:21.863: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Host: 172.16.0.25




*Mar  8 15:59:21.871: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
*Mar  8 15:59:21.871: CRYPTO_PKI: locked trustpoint CA, refcount is 1
*Mar  8 15:59:21.975: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
*Mar  8 15:59:21.975: CRYPTO_PKI: status = 0: failed to process the received pki msg
*Mar  8 15:59:21.975: CRYPTO_PKI: transaction PKCSReq completed
*Mar  8 15:59:21.975: CRYPTO_PKI: status: 
*Mar  8 15:59:22.071: CRYPTO_PKI:Write out pkcs#10 content:481 
     30 82 01 DD 30 82 01 46 02 01 00 30 62 31 13 30 
     11 06 03 55 04 0B 13 0A 44 4D 56 50 4E 20 4F 3D 
     44 4D 31 4B 30 11 06 03 55 04 05 13 0A 34 32 39 
!!DELETED

*Mar  8 15:59:22.087: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 2AD3C604 38E34709 1A6646EC 6B1225F5 
*Mar  8 15:59:22.087: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 847875A1 54D73333 BF196FA7 DFB5FE99 CD894CD1 
*Mar  8 15:59:22.119: CRYPTO_PKI:Enveloped Data for trustpoint CA...
*Mar  8 15:59:24.835: The PKCS #7 message has 1 verified signers.
*Mar  8 15:59:24.835: signing cert: issuer=cn=DMVPN,dc=sirhumper,dc=com611D571B000002
*Mar  8 15:59:24.835: Signed Attributes:

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-message-type:   13 01 33                                        

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-status:   13 01 32                                        

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-fail-info:   13 01 32                                        

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-recipient-nonce:   
     04 10 5F B2 F9 ED 8F C1 C3 D8 29 4D F7 31 2B 96 
     EC FA                                           

*Mar  8 15:59:24.835: CRYPTO_PKI: signed attr: pki-transaction-id:   
     13 20 44 39 31 43 37 44 30 38 41 44 33 30 30 31 
     37 45 30 43 33 43 37 38 39 38 35 33 38 36 38 34 
     37 44                                           

*Mar  8 15:59:24.835: CRYPTO_PKI: status = 101: certificate request is rejected
*Mar  8 15:59:24.835: CRYPTO_PKI: Fail Info=2
*Mar  8 15:59:24.835: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
*Mar  8 15:59:24.839: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
*Mar  8 15:59:24.843: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
*Mar  8 15:59:24.851: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.
*Mar  8 15:59:24.851: CRYPTO_PKI: All enrollment requests completed for trustpoint CA.

At the end where it states Certificate enrollment was rejected...I might just open a TAC case..

Humper

OMG...Microsoft how I love you right now..

KB Article Here

http://support.microsoft.com/kb/305196

This article was previously published under Q305196
SYMPTOMS
To establish an L2TP/IPSec tunnel between a Cisco Internetwork operating system router and a Windows 2000 Certificate Authority (CA), a certificate trust must exist between the CA and the router. To enable this trust, the router must request and install an IPSec certificate from the CA. However, when the Cisco IOS-enabled router requests to enroll the IPSec certificate from a Windows 2000 Enterprise CA, the request may not work, and the router may log the following error message in the Cisco log:
time CRYPTO_PKI: status = 101: certificate request is rejected
time CRYPTO_PKI: All enrollment requests completed.
datetime %CRYPTO-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
Additionally, the Application log on the Windows 2000 server that is hosting the Certificate Authority service may log the following event:
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: date
Time: time
User: N/A
Computer: computer name
Description:

Certificate Services denied request 72 because Access is denied. 0x80070005 (WIN32: 5).
The request was for OID.1.2.840.113549.1.9.2=name.com. Additional information: Denied by Policy Module
If you use the Certutil.exe tool to parse the WIN32 error (by using the certutil -error 0x80070005 command), you may receive the following output:
0x80070005 (WIN32: 5) -- 2147942405 (-2147024891)
Error message text: Access id denied.
Back to the top

CAUSE
This issue can occur if the Authenticated Users group had not been granted the Enroll permission to the IPSECIntermediateOffline template.
Back to the top

RESOLUTION
To resolve this issue, grant the Enroll permission to the Authenticated Users group on the IPSECIntermediateOffline template.
Back to the top

MORE INFORMATION
The Cisco Internetwork operating system uses a Cisco Simple Certificate Enrollment Protocol (SCEP) proprietary protocol to communicate with the CA to obtain a certificate. This is the only way to request or install a certificate to a Cisco router. Additionally, only CAs that support the SCEP protocol can be used to enroll the certificate. The Windows 2000 Server Resource Kit includes an add-on component (Cepsetup.exe), that allows Microsoft CAs to use SCEP.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.