Task 4.2 Certificate enrollment request rejected

Hi,

Everytime R3/R4 try to enroll, router displays an error message
"%CRYPTO-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority"

Rack1R3(config)#crypto ca enroll IE1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The fully-qualified domain name in the certificate will be: Rack1R3.internetworkexpert.com
% The subject name in the certificate will be: Rack1R3.internetworkexpert.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.

Rack1R3(config)# Fingerprint: 3D87C0D8 DECE4F2A 61816066 27C2F6E7

Feb 23 04:16:44.209: %CRYPTO-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority


From the windows 2000 server application event log, it seems to be a timing issue.

"A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495). The request was for OID.1.2.840.113549.1.9.2=Rack1R3.internetworkexpert.com. Certificate Services could not process request 46 due to an error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file"

However, I configured NTP on R3/R4 and NTP status is synchronized.

Rack1R3#sh ntp status
Clock is synchronized, stratum 5, reference is 10.0.0.100
nominal freq is 250.0000 Hz, actual freq is 249.9909 Hz, precision is 2**24
reference time is CB6A1FF8.64724D0C (23:30:48.392 EST Fri Feb 22 2008)
clock offset is 0.3029 msec, root delay is 15.64 msec
root dispersion is 11.90 msec, peer dispersion is 0.05 msec
Rack1R3#
Rack1R3#sh ntp association

address ref clock st when poll reach delay offset disp
*~10.0.0.100 127.127.1.1 4 35 64 377 15.6 0.30 0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Rack1R3#
Rack1R3#sh ntp association detail
10.0.0.100 configured, our_master, sane, valid, stratum 4
ref ID 127.127.1.1, time CB6A1FCB.8C013EC4 (23:30:03.546 EST Fri Feb 22 2008)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 11.57, reach 377, sync dist 19.424
delay 15.64 msec, offset 0.3029 msec, dispersion 0.05
precision 2**20, version 3
org time CB6A1FF8.62854477 (23:30:48.384 EST Fri Feb 22 2008)
rcv time CB6A1FF8.64724D0C (23:30:48.392 EST Fri Feb 22 2008)
xmt time CB6A1FF8.606E1CCB (23:30:48.376 EST Fri Feb 22 2008)
filtdelay = 15.64 15.61 15.61 15.58 15.66 15.56 15.55 15.47
filtoffset = 0.30 0.31 0.26 0.24 0.26 0.20 0.18 0.20
filterror = 0.02 0.99 1.97 2.94 3.92 4.90 5.87 6.85

Any suggestions?

Thanks,

Tony

Comments

  • It is a time issue like you pointed out. Try adjusting either the local time on the router or setting the NTP servers back to anything behind the server's clock setting and give it another go.

    Regards,
    Nick
  • I got excatly the same problem and wasted several hours trying to debug it. Turned out that when I installed SCEP on the CA I left the security option for a password checked. This causes the CA to reject the IOS router request for enrollment with exactly the same result as you have %CRYPTO-6-CERTREJECT: etc. This as suggested makes you look at time and certificate issues.

    Not sure if this helps because of your event log - but it cost me several hours!!

    Regards
    Graham
  • Thanks all the replies.

    I reinstalled the certificate authority and SCEP add on
    on the windowns 2000 server.

    Now I am running into a different problem on the router.

    Everytime I am trying to enroll, router generates the following
    error messages.

    "
    Feb 26 22:10:12.974: The PKCS #7 message contains 3 certificates.


    Feb 26 22:10:12.982: CRYPTO_PKI: transaction PKCSReq completed
    Feb 26 22:10:12.982: CRYPTO_PKI: status:
    Feb 26 22:10:12.982: CRYPTO_PKI: status = 0: failed to select RA encrypt cert
    Feb 26 22:10:12.982: CRYPTO_PKI: status = 65535: failed to set up peer auth context
    Feb 26 22:10:12.982: CRYPTO_PKI: status = 65535: fail to send out pkcsreq)#
    Rack1R3(config)#"

    I was able to get this to work 1.5 years ago when I worked
    on version 2 of the lab. Looks like I am going backward -:(

    Does any one has a step by step instruction on how to setup
    the certificate authority and SCEP add on? May be I installed
    them wrong on the windows 2000 server?

    When I connected to the server at
    "http://10.0.0.100/certsrv/mscep/mscep.dll", everything looks fine.

    Server displays:

    "
    Simple Certificate Enrollment Protocol (SCEP) Add-On for Certificate Services

    Welcome

    The CA's certificate fingerprint is FD551B8F 992FD448 3A1F2B5E 4FCABC78.

    Your enrollment challenge password is 2DD65BCE0AF7821F and will expire within 60 minutes. This password can only be used once.

    Each enrollment requires a new challenge password. You can refresh this web page to obtain a new challenge password.

    For more information please see the online documentation mscephlp.htm. "

    Thanks for all your help.

    Tony

    Rack1R3#debug crypto pki messages
    Crypto PKI Msg debugging is on
    Rack1R3#debug crypto pki tr
    Rack1R3#debug crypto pki transactions
    Crypto PKI Trans debugging is on
    Rack1R3#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Rack1R3(config)#crypto ca enroll IE1
    %
    % Start certificate enrollment ..
    % Create a challenge password. You will need to verbally provide this
    password to the CA Administrator in order to revoke your certificate.
    For security reasons your password will not be saved in the configuration.
    Please make a note of it.

    Password:
    Re-enter password:

    % The fully-qualified domain name in the certificate will be: Rack1R3.internetworkexpert.com
    % The subject name in the certificate will be: Rack1R3.internetworkexpert.com
    % Include the router serial number in the subject name? [yes/no]: n
    % Include an IP address in the subject name? [no]: n
    Request certificate from CA? [yes/no]: y
    % Certificate request sent to Certificate Authority
    % The certificate request fingerprint will be displayed.
    % The 'show crypto ca certificate' command will also show the fingerprint.

    Rack1R3(config)#
    Feb 26 22:10:11.890: CRYPTO_PKI: Sending CA Certificate Request:
    GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=IE1 HTTP/1.0


    Feb 26 22:10:11.890: CRYPTO_PKI: can not resolve server name/IP address
    Feb 26 22:10:11.890: CRYPTO_PKI: Using unresolved IP Address 10.0.0.100
    Feb 26 22:10:11.906: CRYPTO_PKI: http connection opened
    Feb 26 22:10:12.646: CRYPTO_PKI: HTTP response header:
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    Date: Tue, 26 Feb 2008 22:10:12 GMT
    Content-Length: 3228
    Content-Type: application/x-x509-ca-ra-cert

    Content-Type indicates we have received CA and RA certificates.

    Feb 26 22:10:12.646: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=IE1)

    Feb 26 22:10:12.646: CRYPTO_PKI:CA and RA certs (cert data):

    30 82 0C 98 06 09 2A 86 48 86 F7 0D 01 07 02 A0
    82 0C 89 30 82 0C 85 02 01 01 31 00 30 0B 06 09
    2A 86 48 86 F7 0D 01 07 01 A0 82 0C 6D 30 82 04
    AF 30 82 04 59 A0 03 02 01 02 02 0A 61 2C 5
    Rack1R3(config1 75

    .....


    Feb 26 22:10:12.974: The PKCS #7 message contains 3 certificates.


    Feb 26 22:10:12.982: CRYPTO_PKI: transaction PKCSReq completed
    Feb 26 22:10:12.982: CRYPTO_PKI: status:
    Feb 26 22:10:12.982: CRYPTO_PKI: status = 0: failed to select RA encrypt cert
    Feb 26 22:10:12.982: CRYPTO_PKI: status = 65535: failed to set up peer auth context
    Feb 26 22:10:12.982: CRYPTO_PKI: status = 65535: fail to send out pkcsreq)#
    Rack1R3(config)#
  • Looks like you still have the challenge password option enabled. Not sure if it's the same on 2000 as I am using 2003 but there is a section in the SCEP install where it describes the password challenge security feature. It is checked by default so uncheck it.

    When I connect to my server now I get the welcome banner, thumbprint etc but nothing about the challenge password.

    Also if you remove the trustpoint from the router, revoke certs on the CA before reconfiguring the router and auth/enroll. Otherwise you get problems with old Certs.

    hope this helps

    Regards
    Graham
  • Thanks GrahamMorris for all your replies.

    Actually enabling SCEP challenge password option was not the issue.

    I found out I have an expired server certificate in my IIS default web site. (right click on default web site in IIS, then click on properties, directory security, server certificate)

    After fixing that problem, I reinstalled certificate authority and SCEP add on with all default options. I was using the Advanced Enrollment Options in SCEP add on to specify the key lengths for the RA signature and encryption keys to 512 instead of the default 1024 bits in previous attempts.

    Those are the two changes I made. After that, I was able to get ca enrollment working with SCEP challenge password option enabled.

    I wasted three days on this.

    Regards,

    Tony

    Rack1R3(config)#crypto ca enroll IE1
    %
    % Start certificate enrollment ..
    % Create a challenge password. You will need to verbally provide this
    password to the CA Administrator in order to revoke your certificate.
    For security reasons your password will not be saved in the configuration.
    Please make a note of it.

    Password:
    Re-enter password:

    % The fully-qualified domain name in the certificate will be: Rack1R3.internetworkexpert.com
    % The subject name in the certificate will be: Rack1R3.internetworkexpert.com
    % Include the router serial number in the subject name? [yes/no]: n
    % Include an IP address in the subject name? [no]: n
    Request certificate from CA? [yes/no]: y
    % Certificate request sent to Certificate Authority
    % The certificate request fingerprint will be displayed.
    % The 'show crypto ca certificate' command will also show the fingerprint.

    Rack1R3(config)# Fingerprint: 5229C046 CC351106 5F073FB0 7F42C376

    Feb 27 05:08:49.694: CRYPTO_PKI: status = 102: certificate request pending
    Rack1R3(config)#
    Feb 27 05:09:12.307: CRYPTO_PKI: status = 102: certificate request pending
    Rack1R3(config)#end
    Feb 27 05:10:15.849: %CRYPTO-6-CERTRET: Certificate received from Certificate Authority
    Rack1R3#sh crypto ca certificates
    Certificate
    Status: Available
    Certificate Serial Number: 61159A55000000000004
    Certificate Usage: General Purpose
    Issuer:
    CN = IESERVER1
    OU = Internetwork ExpertC
    O = CCIE Lab
    L = Reno
    ST = NV
    C = US
    EA = [email protected]
    Subject:
    Name: Rack1R3.internetworkexpert.com
    OID.1.2.840.113549.1.9.2 = Rack1R3.internetworkexpert.com
    CRL Distribution Point:
    http://ieserver1.internetworkexpert.com/CertEnroll/IESERVER1.crl
    Validity Date:
    start date: 23:59:21 EST Feb 26 2008
    end date: 00:09:21 EST Feb 27 2009
    renew date: 19:00:00 EST Dec 31 1969
    Associated Trustpoints: IE1

    CA Certificate
    Status: Available
    Certificate Serial Number: 290E7CB38A74D2A3475439BC4FEEE7F9
    Certificate Usage: Signature
    Issuer:
    CN = IESERVER1
    OU = Internetwork ExpertC
    O = CCIE Lab
    L = Reno
    ST = NV
    C = US
    EA = [email protected]
    Subject:
    CN = IESERVER1
    OU = Internetwork ExpertC
    O = CCIE Lab
    L = Reno
    ST = NV
    C = US
    EA = [email protected]
    CRL Distribution Point:
    http://ieserver1.internetworkexpert.com/CertEnroll/IESERVER1.crl
    Validity Date:
    start date: 23:54:02 EST Feb 26 2008
    end date: 00:03:16 EST Feb 27 2013
    Associated Trustpoints: IE1
  • No problem Tony - sounds good, I will try your configuration to get challenge password working after my lab date. Just in case I break it again and waste even more time :-))

    Graham
Sign In or Register to comment.