Certificate enrollment and Cisco VPN Client 5.x

Guys please help, I'm busting my a** on this!

I'm trying to enroll to the Microsoft CA with VPN Client 5.x for the sake of lab preparation and my production environment. When try to enroll, 

I received the error: "Error 42: Unable to create certificate enrollment request."

 

I'm using the url http://x.y.z.w/certsrv/mscep/mscep.dll for enrollment. This URL opens in IE, so the network connectivity is not an issue. All my routers and firewalls enroll successfully, and I'm able to enroll from TestPC using Microsoft way (import CA certificate, and request and import unity certificate via IE request). 

But this is the slow way for the sake of production environment and maybe is not acceptable from the lab perspective, because the certificate is marked as

"CN (Microsoft)" instead of "CN (Cisco)".

 

All I found is VPN Client bug ID CSCed90732 which is about version 4.7 and IOS as CA.

 

10x

Sasa

 

 

Comments

  • After lot of trial and error, I found this is the combination that always works for me.


    Time of PC should be well beyond the IOS CA server's time
    There should always be some thing in the CA domain else request is not sent.

    There should be some field in the subject name, either cn or ou etc fiiled else request is not sent.

    On the IOS CA server, the following is required.

    crypto pki server cisco
     database level complete
     issuer-name cn=r3
     grant auto
     lifetime ca-certificate 365
     database url flash:

     

    BTW, the lab no more supports Microsoft CA server. We will be asked to enroll to IOS CA server which should be configured by us.

    With regards

    Kings

  • 10x Kings!

    I will try this. About discontinuing of MS CA - can you provide some link to this and other news we are not aware of?

     

    Sasa

     

  • Yusuf has confirmed it long time ago. I don't have a link for that. You can search it on https://learningnetwork.cisco.com/

     

    With regards

    Kings

  •  

    Well Kings, I have tried your hints, but no luck.

     

    R1 CA is as follows:

     

     !

    crypto pki server R1_CA

     database level complete

     grant auto

     lifetime ca-certificate 3650

     database url flash:

    !

     

    All routers and firewalls enrolled with no problems, but VPN client still keeps saying:

     

    Error 42: Unable to create certificate enrollment request.

     

    Anybody? It would be kinda lame to loose points and possibly fail the exam for this issue :(

     

    Regs,

    Sasa

     

  • Don't worry, in the lab if you are given this task, then it should work. This is software issue.

    Enable "debug crypto pki" on the IOS CA server and see, if you are getting requests from the client.

    Restart your client PC.

    Don't given up, keep trying. At one point, you will know what should be done to make it work. I spent nearly a day, to make it work.

    With regards

    Kings

  • Kings, thanks for encouragement :)

     

    The client reports:

     


    35     13:39:34.608  06/23/10  Sev=Warning/3 CERT/0xA3600029

    HTTP error.

     

    36     13:39:34.608  06/23/10  Sev=Warning/2 CERT/0xE3600012

    Online certificate server returned the following HTTP error: HTTP error:

    HTTP/1.1 401 Unauthorized

    Date: Wed, 23 Jun 2010 09:42:06 GMT

    Server: cisco-IOS

    Accept-Ranges: none

    WWW-Authenticate: Basic realm="level_15_access"

     

     

    37     13:39:34.608  06/23/10  Sev=Warning/2 CERT/0xE3600008

    Could not retrieve CA certificate to begin enrollment.

     

    And indeed, the router requires level_15 access authentication. Knowing this, it makes sense for request to fail, but why the heck it succedes on other routers and firewalls??

     

    However, it did go smoothly by manual PKCS#10 method, so for testing - I'm OK.

     

    10x

    Sasa

     

  • I'm having the same problem, trying to enroll a certificate for my VPN 5.0 client with my IOS CA Server

    The error messages in the log are the same.

    When using the IOS CA Server and enrolling a certificate with the VPN client, would the field "CA URL" be entered as

    http://150.1.2.2:80 or just http://150.1.2.2 would do ? I've tried both way but keep getting the same error message.

    I'm also filling out the following fields in the VPN Client | Certificate Enrollment dialog box

    Certificate Authority: <NEW> - I'm not able to input an entry in this box, so I take <NEW> as the input

    CA Domain: R2

    Challenge Password: I use the same password like I do when requesting a certificate with any other client routers/firewall

    CN: John Doe

    Domain: R2

    I leave all other fields blank.

    Would like to know from anyone who's got this to work using an IOS CA server, how they made it work and if these fields should be filled in different, especially, the CA URL field.

    Thanks

  • I was *never* successful in doing this. However, you can use manual or "PKCS#10" method, where you save your request in text format from within the VPN client and then you enroll for the certificate on the router console.

     

    I can give you details if you want.

     

    Regs

    Sasa

     

  • Sasa,

    were you filling in the fields in the same way ? How did you enter the CA URL ?

    I havent been able to get PKCS#10 to work either.

    Its one of those things that I hate not having to be able to test a couple of times only to see it come up in the real lab. Know what I mean ?

    Wendal

  • You need to use the following url for IOS CA server:

    http://150.1.2.2 /cgi-bin/pkiclient.exe

     

    With regards

    Kings


  •  

    As for the manual method, there it is:

     

     

    In order to request indentity certificate from your CA, you need to obtain and install

    the CA certificate. Go to your router (hopefully set up as CA) and do:

     

     

    R1(config)#crypto pki export R1_CA pem terminal 

     

    (I asume R1_CA is IOS CA/Trustpoint name on your IOS router)

     

     

    The response should be:

     

     

    % The specified trustpoint is not enrolled (R1_CA).

    % Only export the CA certificate in PEM format.

    % CA certificate:

    -----BEGIN CERTIFICATE-----

    MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQQFADAQMQ4wDAYDVQQDDAVSMV9D

    <some lines omitted>

    DGYNWd2ZD9fRjymWL0MLffgFQfNfMAj9kgploDQ=

    -----END CERTIFICATE-----

     

     

     

    Select everything from -----BEGIN CERTIFICATE----- (included) to

    -----END CERTIFICATE----- (also included). Copy and paste this in

    notepad and save as TXT file (eq. C:CACert.txt). 

     

     

    In your VPN client go to Certificates tab->Import->Browse

    select C:CACert.txt) and click Import.You will see your CA certificate (Store: CA)

     

     

     

    Now generate Identity certificate request

     

    Certificates tab->Enroll->File->File Encoding=Base-64

    Enter filename (eg. C:CertReq.txt)

     

    On the next screen, the only required field is CN. Put your firstname<space>lastname, for instance.

    Click enroll. You will see the certificate request with your CN and type "Store: Request".

     

     

    Open C:CertReq.txt. You will see something like:

     

     

    -----BEGIN NEW CERTIFICATE REQUEST-----

    MIICXTCCAUUCAQAwGDEWMBQGA1UEAxMNU2FzYSBQb3ByYXZhazCCASIwDQYJKoZI

    <some lines omitted>

    NspPels4pIOCoWH6ELOeFdasXoSiceifzPyCJA3evykP

    -----END NEW CERTIFICATE REQUEST-----

     

     

    Select and coppy ALL lines.

     

     

     

    Go to IOS CA router. From enable mode issue:

     

     

    R1#cry pki server R1_CA request pkcs10 terminal base64

     

    (I asume R1_CA is IOS CA/Trustpoint name on your IOS router)

     

     

    Paste your cert request, hit <enter> once and type quit and hit <enter> again.

     

    You will see something like:

     

     

    % Granted certificate:

    MIICZDCCAc2gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAQMQ4wDAYDVQQDDAVSMV9D

    <some lines omitted>

    Fzt2bU/jb0q3YPhHMolEY7qcutpNG6rLwcvQ6MlRMv1CWSQuIBpfyQ==

     

     

     

    Select all lines except "% Granted certificate:", paste it into file and save (eg. GrantedCert.txt).

     

     

     

    Go back in the VPN client, Certificates tab, Select import->Browse and point to your 

    GrantedCert.txt file. Finish the process by clicking "Import", select C:GrantedCert.txt. 

    Now the type will change  from "Store: Request" to "Store: Cisco".

     

     

    This is so slow and painful (God forbid doing this in mass production) but works allways.

     

    Keep in mind of times on your client and your CA server, in this case IOS router. They have

    to be in sync.

     

     

    Regs,

    Sasa

     

     

     

     

     

  •  


     

     

    So finally :)

     

    Thanks Kings! How the hack did you get this URL???

     

     

    I did enroll successfully, thanks to Kings and with a little tweaking on IOS CA.

     

     

    So, if you did "ip domain name foo.bar" you *must* use "foo.bar" in the VPN client in the field

    "CA Domain". In the "CA URL*" field you type Kings' secret recepie "http://10.100.3.1/cgi-bin/pkiclient.exe"

    On the next screen, for CN you may use Firstname<space>Lastname. But before you can do the enrollment you need

    to make one adjustment on IOS CA:

     

     

    !

    crypto pki server R3_CA

     grant auto

     database url flash:

    !

    crypto pki trustpoint R3_CA

     enrollment url http://10.100.3.1:80

     revocation-check crl

     rsakeypair R3_CA

    !

     

     

    In my case, under the definition of trustpoint, there were no line

    "enrollment url http://10.100.3.1:80". So, I did shutdown the

    PKI server, added that line, and with "no shutdown" of the PKI server

    everything was just fine :)

     

    Finally!

     

    Regs,

    Sasa


  • Guys,

    When I enter 'database url flash:' I get "% Server database url was changed. You need to move the
    % existing database to the new location."

     

    What does it mean? Please explain.

     

    -Murad

  • By default the location is nvram, since you have changed the location, the files from the nvram needs to moved to the flash:

    With regards

    Kings

  • Thanks Kings. I was under the impression that flash and nvram refers to same directory.

    -Murad

     

  • If I try to do SCEP enrollment via http, I get an "Error 42: Unable to create certificate enrollment request." From Cisco's site, this is what the error means "Description or Action: 640-911 VCE
    The VPN Client was unable to create an enrollment request to enroll the certificate with a certificate authority." 640-916 VCE

  • If it's not a bug, it means either that the CSR configuration is wrong, or the router does not have TCP port 80 connectivity to the CA.

Sign In or Register to comment.