Lab Minutes Forum

Technical Discussion => Security => Topic started by: ToX1c on October 03, 2013, 02:53:58 AM

Title: AutoEnrollment on Cisco IOS
Post by: ToX1c on October 03, 2013, 02:53:58 AM
Hello!
I have 1 RootCA (Win 2008 R2 SP1 Standalone Root) and 2 Cisco Routers (3825 15.0(1)M6 and 2911 15.3T). I can enroll certificate for the first time with password from RootCA (this password never expired).
On Cisco Routers in trustpoint configuration I enter command auto-enroll 15 regenerate, but auto enrollment not working.
If I try manually to reenrol certificate (crypto pki enroll RootCA) in debug I see message:

CRYPTO_PKI: Begin shadow operation - skip current enrollment
PKI: Shadow state for MCSM1ROOT now NOSTATE
CRYPTO_PKI: Capabilites already obtained 80000004
PKI: Shadow state for MCSM1ROOT now NOT_SUPPORTED
CRYPTO_PKI: Setting renewal timers

Anybody knows how to resolve this problem?
Title: Re: AutoEnrollment on Cisco IOS
Post by: MC on October 03, 2013, 11:43:58 PM
If you can enroll the first time, I assume the SCEP is working. One thing you might try is to disable the SCEP password completely on the Windows server registry.
SimplePortal 2.3.7 © 2008-2024, SimplePortal