I'm trying to get a Cisco IOS router to enroll with a Windows 2008 R2-based CA. I'm partially successful.
What I'd like to do: 1. Router enrolls via SCEP, no challenge password required. 2. Certificate goes into "pending" status and approved by a certificate manager 3. Router can automatically renew this certificate via SCEP. Renewal does not require certificate manager approval. I've read the Cisco docs, which are vague about details. I have #1 and #2 working, above. My problem is the renewal requests go into "pending" status. In my certificate template on the 2008 server side, I have the checkbox "Require Valid Existing Certificate" for reenrollment. (see attachment) Has anyone gotten this working? Is it possible? I've set the HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatch to 1 on the CA as indicated in http://support.microsoft.com/kb/959193/en-us to no avail. Router config: crypto pki trustpoint TEST-SERVER enrollment retry count 100 enrollment retry period 2 enrollment mode ra enrollment url http://x.x.x.x:80/certsrv/mscep/mscep.dll usage ike serial-number vrf GRE-RA revocation-check crl rsakeypair TEST-SERVER 1024 1024 auto-enroll 70 regenerate NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message.
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/