Microsoft SCEP Certificate Issuance Problem for PIX

I'm trying to set up certificate based VPNs on several PIX devices running IOS 6.3. The issue I'm having is with the Microsoft CA denying enrollment to my devices throught the SCEP. My CA is running Windows Server 2003 set up as a domain in its own forest (Active Directory), a stand alone root CA with the SCEP loaded. From the certificate template, I've allowed the administrator to enroll, issue, and all other rights for the IPSEC (offline) certificate. I've added the administrator to the IIS_WPG group, did not change any other configurations and logged in SCEP to get my CA thumbprint and challenge/password. Using the CISCO and Microsoft documentation, I've created my identity and configuration ok. My PIX authenticates to the CA using the CA thumbprint but cannot enroll using the one time password.

The PIX error message was "The certificate enrollment request was denied by CA" while the Microsoft Server Application Even Viewer states it cannot verify the password (which WAS typed the same for each new occurrence).

I reinstalled the SCEP and disabled challenge/password for testing and tried to enroll again. This time, the PIX said the enrollment request failed and the Event Viewer says "SCEP Add-on cannot decrypt the inner content of the client's PKCS 7 message (0x80090005). Bad data"

So a connection is established and the PIX and CA can communicate and authenticate but there's an error in the enrollment process. Is this a Windows permission issue? I appreciate any ideas since I've been trying to troubleshoot this for two weeks now. Thanks!

Reply to
DCS
Loading thread data ...

Reply to
DCS

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.