collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?
« previous next »
Pages: [1]

Author Topic: Cisco and Microsoft PKI  (Read 18001 times)

Exonix

  • Guest
Cisco and Microsoft PKI
« on: June 28, 2018, 07:00:05 AM »
Hi,
I'm trying to implement a S2S VPN IKEv2 between Cisco ASA 5510 and ISR 886VA.
This VPN will use the certificates which are issued by Microsoft CA 2012 R2.
I found a very You are not allowed to view links. Register or Login how to configure NDES enrollment with Microsoft CA 2008 R2, but it seems doesn't work with 2012 R2. I have stopped on the step "checking the certificate" (5:30). I don't receive requested certificate. Moreover I don't see any requests on Microsoft CA. Although I got the root certificate.
Could you please help me?
Thank you in advance!

Code: You are not allowed to view links. Register or Login
#crypto  pki enroll DC1-Domain-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: cn=886VA.domain.domain.local,ou=IT,O=domain,ST=city,C=DE
% The subject name in the certificate will include: 886VA.domain.domain.local
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose DC1-domain-CA' commandwill show the fingerprint.
Code: You are not allowed to view links. Register or Login
do sh cry pki cert
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 47639D3E1676D78342B92E1556CD708F
  Certificate Usage: Signature
  Issuer:
    cn=dc1.DOMAIN.DOMAIN.LOCAL
    dc=DOMAIN
    dc=DOMAIN
    dc=LOCAL
  Subject:
    cn=dc1.DOMAIN.DOMAIN.LOCAL
    dc=DOMAIN
    dc=DOMAIN
    dc=LOCAL
  Validity Date:
    start date: 18:21:20 UTC Dec 27 2015
    end   date: 18:31:20 UTC Dec 27 2020
  Associated Trustpoints: DC1-DOMAIN-CA
Code: You are not allowed to view links. Register or Login
do sh ver
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 04-Aug-15 05:50 by prod_rel_team

ROM: System Bootstrap, Version 15.4(1r)T1, RELEASE SOFTWARE (fc1)
Logged

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Cisco and Microsoft PKI
« Reply #1 on: July 16, 2018, 06:16:21 PM »
If you check the CA, do you see any pending certificate. Can you even request  certificate manually vis the /certsrv page? Two most common issues with SCEP is usually not having automatic approval enabled and not having security challenge disabled on the CA, which of which I believe controlled via registry
Logged
Pages: [1]
« previous next »
 

Related Topics

  Subject / Started by Replies Last post
2 Replies
24929 Views 		Last post February 09, 2015, 10:54:52 AM
by ozone007
6 Replies
27284 Views 		Last post July 20, 2015, 07:48:48 AM
by amsa
1 Replies
47998 Views 		Last post May 07, 2017, 09:55:33 PM
by MC
1 Replies
21807 Views 		Last post October 26, 2017, 09:33:07 PM
by MC
3 Replies
24333 Views 		Last post February 28, 2018, 07:53:27 PM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal