|
Author
|
Topic: Certificate request is rejected (Windwos Server 2008 R2)
|
Ghostface
Newbie
Member # 32455
Rate Member
|
posted August 26, 2012 04:19 AM
Dear All,
I am setting up a CA in my Lab and i get the following:
CCIE-SEC-LAB-RT1#sh cry ca certificates CCIE-SEC-CA
CA Certificate
Status: Available
Certificate Serial Number (hex): 538F261E7E6140B843CB20BA939B3E00
Certificate Usage: Signature
Issuer:
cn=CCIE-SEC-CA
Subject:
cn=CCIE-SEC-CA
Validity Date:
start date: 22:42:54 UTC Aug 25 2012
end date: 22:52:52 UTC Aug 25 2017
Associated Trustpoints: CCIE-SEC-CA
But when i try to enroll i get the following:
CCIE-SEC-LAB-RT1(config)#cryp pki enro CCIE-SEC-CA
%
% Start certificate enrollment ..
% The subject name in the certificate will include: CCIE-SEC-LAB-RT1.CCIE-SEC.GHOST
% The serial number in the certificate will be: FCZ120570PD
% The IP address in the certificate is 10.100.200.3
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CCIE-SEC-CA' commandwill show the fingerprint.
CRYPTO_PKI: Certificate Request Fingerprint MD5: 156A0E5C 57F86393 D8C7912B 862EDC67
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 02B02DB0 13BFDBFA E0069327 0C0E10DE 796F1ED6
%PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
need help solving this issue.
Thanks.
Posts: 4 | From: Freetown | Registered: Jun 2012
| IP: Logged
|
|
cciesec2011
Member
Member # 29815
Rate Member
|
posted August 27, 2012 10:59 AM
make sure the clock is sync'ed on both the CA server and the router.
Posts: 18 | From: Rockville | Registered: Jun 2010
| IP: Logged
|
|
Ghostface
Newbie
Member # 32455
Rate Member
|
posted August 27, 2012 03:49 PM
Thanks for the reply.
I have configured the router as the NTP Master and sync'ed the Server to the router because when i tried it the other way round the routes could not sync to the server.
NTP is fine now but i still have the same error.
Any update on what should be done now?
Thanks
Posts: 4 | From: Freetown | Registered: Jun 2012
| IP: Logged
|
|
cciesec2011
Member
Member # 29815
Rate Member
|
posted August 28, 2012 03:06 AM
working for me. See below:
c3845#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c3845(config)#crypto ca trustpoint labtest
c3845(ca-trustpoint)# enrollment retry count 5
c3845(ca-trustpoint)# enrollment retry period 3
c3845(ca-trustpoint)#enrollment url http://192.158.1.1:80/certsrv/mscep/mscep.dll
c3845(ca-trustpoint)#crl optional
c3845(ca-trustpoint)#exit
c3845(config)#crypto ca authenticate labtest
Certificate has the following attributes:
Fingerprint MD5: 49BEB42A F235EEF7 C569D032 F18F7A9F
Fingerprint SHA1: D1A17F74 EFC628E9 D0A0748B 5909512B 694F430B
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
c3845(config)#crypto ca enroll labtest
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: c3845.exchange2010.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose labtest' commandwill show the fingerprint.
c3845(config)#
*Aug 28 10:44:44.133: CRYPTO_PKI: Certificate Request Fingerprint MD5: 95CD8C9D 46FA3E52 0680689F 2125D32E
*Aug 28 10:44:44.133: CRYPTO_PKI: Certificate Request Fingerprint SHA1: BE5359F7 8A0AFE72 DCA8A9A0 25D433AD D795CFD4
c3845(config)#
*Aug 28 10:44:46.021: %PKI-6-CERTRET: Certificate received from Certificate Authority
c3845(config)#
Posts: 18 | From: Rockville | Registered: Jun 2010
| IP: Logged
|
|
cciesec2011
Member
Member # 29815
Rate Member
|
posted August 28, 2012 05:52 AM
I also have a follow-up question as well.
Why are you using Windows 2008R2? Why not Windows 2003?
It is much easier with Windows 2003. I also had issues with Windows 2008R2 as well. It took me several days to get it working. I can't remember what I did to fix it but it was on the windows side.
No such issue on Windows 2003. It works like a charm every time.
Posts: 18 | From: Rockville | Registered: Jun 2010
| IP: Logged
|
|
Ghostface
Newbie
Member # 32455
Rate Member
|
posted August 28, 2012 05:59 AM
I will try to setup a Win2003 Server and do my CA on it so i can move on.
Thanks a lot.
Posts: 4 | From: Freetown | Registered: Jun 2012
| IP: Logged
|
|
cciesec2011
Member
Member # 29815
Rate Member
|
posted November 09, 2012 10:59 AM
found the issue.
If you're going to use Win2k8 CA server, you need to make sure that "crypto ca key generate rsa modulus 2048". You MUST use 2048 bits because Win2k8a and win2k8R2 use AES-256 SHA with 2048 bits enhanced security.
Easy right?
Posts: 18 | From: Rockville | Registered: Jun 2010
| IP: Logged
|
|
Ghostface
Newbie
Member # 32455
Rate Member
|
posted November 09, 2012 01:42 PM
Thanks very much i will check it out and update you asap....
Posts: 4 | From: Freetown | Registered: Jun 2012
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic