Cannot get CA certificate successfully from CA server On AR router

Publication Date:  2015-06-30 Views:  681 Downloads:  0
Issue Description
Customer want to use RSA certificate to encrypt IPSec traffic. After finished the configuration, we found AR could not enroll CA certificate automatically to CA server.
The PKI configuration is following:
pki entity PKI-ENTITY
country XX
organization XXX
organization-unit XX
common-name XXXX
ip-address GigabitEthernet0/0/0
serial-number
#
pki realm PKI-REALM
ca id XXXX
enrollment-url http://X.X.X.X:80/certsrv/mscep/mscep.dll ra
entity PKI-ENTITY
auto-enroll regenerate
source interface GigabitEthernet0/0/0
usage ike
#
Alarm Information
None
Handling Process
1. Check the configuration and did not find any abnormal point.
2. Make debugging when certificate enrollment and found below error.
<Test>debugging pki all all
<Test>system-view
Enter system view, return user view with Ctrl+Z.
[Test]pki enroll-certificate PKI-REALM
.......................
Jun 11 2015 00:00:46.187.1+00:00 Test PKI/7/PKI_SCEP:
[SCEP]PKI_SCEP_ProcRespMsg: MapIdx 7 Obj handle err
1825505  Validation of GetCACert response message failed
2022121  CA/RA certificates list has more than three certificates
......................

3. Confirmed with RnD that currently our AR router only support three CA certificates with below scenario during certificate enrollment.
a.AR router only support common RA certificate togerther with signature and encryption.
b.AR router only support one CA certificates according to the standard

4. Let customer help us capture packets when enrollment certificate. From the capture, we found CA server sends 4 certificates to our AR router with 2 RA certificates and 2 CA certificates.
Since AR router could not support it and cannot enroll the certificate successfully.

5. However, we have another way to solve it temporarily using out-band mode.
a.Download the AR local certificate from CA server and upload to AR router
b. Get CA certificate automatically from CA server using below command
[HQ1]pki get-certificate ca XXX                                                                                                   
  Info: CA certificate is existed.                                                                                                 
  The old CA certificate will be covered with the new one. Are you sure[Y/N]: y                                                    
  Get CA certificate will take a few moment,please waiting........                                                                 
  The trusted CA's fingerprint is:                                                                                                 
    MD5  fingerprint: 113525d8  96d35936  c38235ea  2cee80eb                                                                       
    SHA1 fingerprint: 6330974f  b2fe3c52  d16bdac4  0140918b  4bcd3ec7                                                             
  Is the fingerprint correct? [Y/N]: y                                                                                             
[HQ1]                                                                                                                              
  Get CA certificate successful.

c. Then import these certificates locally.
[HQ1]pki import-certificate local XXX der                                                                                         
[HQ1]pki import-certificate ca XXX der    

After that, using below command to verify certificate on AR router.
<Huawei> display pki certificate ca XXX
<Huawei> display pki certificate local XXX

The certificates are loaded successfully and the problem is solved.
Root Cause
Currently our AR router only support three CA certificates with below scenario during certificate enrollment.
a.AR router only support common RA certificate togerther with signature and encryption.
b.AR router only support one CA certificates according to the standard
Solution

Since AR router could not enroll the certificate automatically from CA server, we can use out-band mode to import the certificates.

a.Download the AR local certificate from CA server and upload to AR router
b. Get CA certificate automatically from CA server using below command
[HQ1]pki get-certificate ca XXX                                                                                                   
  Info: CA certificate is existed.                                                                                                 
  The old CA certificate will be covered with the new one. Are you sure[Y/N]: y                                                    
  Get CA certificate will take a few moment,please waiting........                                                                 
  The trusted CA's fingerprint is:                                                                                                 
    MD5  fingerprint: 113525d8  96d35936  c38235ea  2cee80eb                                                                       
    SHA1 fingerprint: 6330974f  b2fe3c52  d16bdac4  0140918b  4bcd3ec7                                                             
  Is the fingerprint correct? [Y/N]: y                                                                                             
[HQ1]                                                                                                                              
  Get CA certificate successful.

c. Then import these certificates locally.
[HQ1]pki import-certificate local XXX der                                                                                         
[HQ1]pki import-certificate ca XXX der    

After that, using below command to verify certificate on AR router.
<Huawei> display pki certificate ca XXX
<Huawei> display pki certificate local XXX

Suggestions

RnD will release new version to support customer scenarios.

END