Enrollment from CISCO Router

[ilke42]

Has anybody tried to enroll from CISCO router?
On the router I get:
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
% Failed to authenticate the Certificate Authority

With debug enabled on both sides I don't get nothing more.

[ilke42]

Test-Router(cs-server)#
Dec 1 18:49:51.643: CRYPTO_CS: enter FSM: input state disabled, input signal no shut
Dec 1 18:49:51.643: CRYPTO_CS: SCEP server stopped
Dec 1 18:49:51.643: CRYPTO_CS: starting enabling checks
Dec 1 18:49:51.643: CRYPTO_CS: nvram filesystem
Dec 1 18:49:51.661: CRYPTO_CS: file opened: nvram:Test-Router.ser
Dec 1 18:49:51.662: CRYPTO_CS: closed ser file
Dec 1 18:49:51.662: CRYPTO_CS: found existing serial file.
Dec 1 18:49:51.662: CRYPTO_CS: authenticating the CA 'Test-Router'
Dec 1 18:49:51.662: All expired database files are deleted.
Dec 1 18:49:51.662: CRYPTO_PKI_SCEP: Client sending GetCACert request
Dec 1 18:49:51.662: CRYPTO_PKI: Sending CA Certificate Request:
GET /scep:8081/pkiclient.exe?operation=GetCACert&message=Test-Router HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.1.100.100

Dec 1 18:49:51.662: CRYPTO_PKI: locked trustpoint Test-Router, refcount is 1
Dec 1 18:49:51.662: CRYPTO_PKI: http connection opened
Dec 1 18:49:51.662: CRYPTO_PKI: Sending HTTP message

Dec 1 18:49:51.662: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.1.100.100

Dec 1 18:49:51.663: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
Dec 1 18:49:51.663: CRYPTO_PKI: unlocked trustpoint Test-Router, refcount is 0
Dec 1 18:49:51.663: CRYPTO_PKI: status = 65535: failed to send out the pki message
Dec 1 18:49:51.663: CRYPTO_PKI: ca_req_context already freed
Dec 1 18:49:51.663: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completed
Dec 1 18:49:51.663: CRYPTO_CS: exit FSM: new state check failed
Dec 1 18:49:51.663: CRYPTO_CS: cs config has been locked

[klubi]

GET /scep:8081/pkiclient.exe?operation=GetCACert&message=Test-Router HTTP/1.0

pkiclient.exe part of the URL looks odd...
Is this something you have configured on the router?
I believe that if you'd be able to change that, so it's /scep:8081/scep?operation=GetCACert&message=Test-Router HTTP/1.0 then it would work

Do you have scep-server logs?

[ilke42]

On the router I tried different settings, for example:
enrollment url http://X.X.X.X:8081/scep/scepoperation=GetCACert=SubCA6

And I still get:
Dec 15 12:02:52.811: CRYPTO_PKI: Sending CA Certificate Request:
GET /scep/pkiclient.exe?operation=GetCACert&message=SubCA6 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

When I browse for http://X.X.X.X:8081/scep I get operation not implemented, which means the web server is accessible.

Obviously the router adds pkiclient.exe? part, per description here:
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html

Does this mean the Debian micromdm/scep server could not be used because I can't change that part?

I cant fine scep server logs, even with -debug enable -log-json command, I don't see any log files.

[klubi]

I'm afraid so.
Exe file won't be available for you, so unless that can be changed, I don't have good news.

[petarov]

@ilke42 An option would be to use Nginx or something else to overwrite /scep/pkiclient.exe as /scep and then direct it to the SCEP server.

[ilke42]

@petarov Yes, that is good idea, thank you. If I start the LAB again I will definitely try it.