Enrolling Cisco ASA for certificates via SCEP


1. Install CA cert

ciscoasa(config)# crypto ca trustpoint CA
ciscoasa(config-ca-trustpoint)# revocation-check crl
ciscoasa(config-ca-trustpoint)# enrollment url http://10.0.0.6/certsrv/mscep/mscep.dll
ciscoasa(config)# crypto ca authenticate CA 

Debug output:


CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Content-Length: 4170
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/8.0
Date: Mon, 29 Apr 2013 11:13:14 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=CA)

INFO: Certificate has the following attributes:

Fingerprint:     537adc87 22cc6e2b 07fdf2e0 18d8ba8b
The PKCS #7 message contains 4 certificates.

CRYPTO_PKI:crypto_pkcs7_extract_ca_cert found cert
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: CA certificate received.
CRYPTO_PKI: crypto_pki_authenticate_tp_cert()
CRYPTO_PKI: trustpoint CA authentication status = 0
Trustpoint 'CA' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.


2. Request and install identity certificate:

Depending on SCEP server configuration, a challenge password may be required to obtain certificate  In Microsoft's SCEP implementation - NDES - we browse to 
http://scepserver /CertSrv/mscep_admin to obtain the password


ASA config:


ciscoasa(config)# crypto ca trustpoint CA
ciscoasa(config-ca-trustpoint)# keypair testKey
ciscoasa(config-ca-trustpoint)#password C972703054ED1301
ciscoasa(config)# crypto ca enroll CA


% Start certificate enrollment ..
% The fully-qualified domain name in the certificate will be: ciscoasa.kp.local
% Include the device serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 123456789AB
Request certificate from CA? [yes/no]: yes


Debug output:


CRYPTO_PKI: Found a subject match - inserting the following cert record into certList
CRYPTO_PKI: Found a subject match - inserting the following cert record into certList
CRYPTO_PKI: Found a subject match - inserting the following cert record into certListThe certificate has been granted by CA!


1 comment:

  1. ASACA(config)# crypto ca authenticate Main

    ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

    ReplyDelete