Lab Minutes Forum
Technical Discussion => Security => Topic started by: Exonix on June 28, 2018, 07:00:05 AM
-
Hi,
I'm trying to implement a S2S VPN IKEv2 between Cisco ASA 5510 and ISR 886VA.
This VPN will use the certificates which are issued by Microsoft CA 2012 R2.
I found a very good video (https://www.youtube.com/watch?v=yJUzHh_4wtA) how to configure NDES enrollment with Microsoft CA 2008 R2, but it seems doesn't work with 2012 R2. I have stopped on the step "checking the certificate" (5:30). I don't receive requested certificate. Moreover I don't see any requests on Microsoft CA. Although I got the root certificate.
Could you please help me?
Thank you in advance!
#crypto pki enroll DC1-Domain-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: cn=886VA.domain.domain.local,ou=IT,O=domain,ST=city,C=DE
% The subject name in the certificate will include: 886VA.domain.domain.local
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose DC1-domain-CA' commandwill show the fingerprint.
do sh cry pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 47639D3E1676D78342B92E1556CD708F
Certificate Usage: Signature
Issuer:
cn=dc1.DOMAIN.DOMAIN.LOCAL
dc=DOMAIN
dc=DOMAIN
dc=LOCAL
Subject:
cn=dc1.DOMAIN.DOMAIN.LOCAL
dc=DOMAIN
dc=DOMAIN
dc=LOCAL
Validity Date:
start date: 18:21:20 UTC Dec 27 2015
end date: 18:31:20 UTC Dec 27 2020
Associated Trustpoints: DC1-DOMAIN-CA
do sh ver
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 04-Aug-15 05:50 by prod_rel_team
ROM: System Bootstrap, Version 15.4(1r)T1, RELEASE SOFTWARE (fc1)
-
If you check the CA, do you see any pending certificate. Can you even request certificate manually vis the /certsrv page? Two most common issues with SCEP is usually not having automatic approval enabled and not having security challenge disabled on the CA, which of which I believe controlled via registry