Hi all I have seen many mails from people preparing for CCIE security informing that the VPN client fails to enroll giving "error 42". What ever I do, I was getting the same issue again today.
Hence I decided it's time to find a workaround. VPN client > Certificate > Enroll > File > Base 64 > Enter parameters and click on Enroll The request file will be stored in C:\Program Files\Cisco Systems\VPN Client. Open the file with notepad and copy the request which will be in base 64 Go to IOS CA server and in the exec mode type "crypto pki server cisco request pkcs10 terminal" and paste the cert as following: If you have configured for "auto", you will be granted by the cert immediately router3#crypto pki server cisco request pkcs10 terminal % Enter Base64 encoded or PEM formatted PKCS10 enrollment request. % End with a blank line or "quit" on a line by itself. -----BEGIN NEW CERTIFICATE REQUEST----- MIICYTCCAUkCAQAwHDENMAsGA1UECxMEa2luZzELMAkGA1UEAxMCcjMwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTYhxemq8MKqnYBJW2rDAjsX65rqFj 2MQ29MbGTmEVwKg1gK8nDcH6V/0NatnBTLOgj/zoFic0w2CfzSChBJ5vrF34M75U OYq02+9Q7jacYZbQljUv3Uhho+gVJiZSW9CZQjUpb9i8IxCR/MqvRp5YzEOopcX1 Hgsz2FxGZLh2R+r2sA67ffMi4wNZ+MBZ3NW+bL+jsfcqzusgKaZxF0P3dGBruJ8V cG1TQvXxPKJvoI3WLFyn5ih3iFz9SUQglpvRKvRGchOy3CrQ3+V/bsGartl7annB cv9o2MBvcM0VL2ViKdLeUvt458YCD8hNk9z6H5ZjZ31wNw0P7oWJrRdPAgMBAAGg ADANBgkqhkiG9w0BAQQFAAOCAQEA0twE0sJsjsBZUHzNcVWY7/RMbpnx14dvaN6D gEV7w4HlMuXYO0RTNp8ZV+PQfHgv/H0+1ZmAcO054YsSXULBOW+ZyMj4/qUYlpm3 ixvnkN9gY6R0uZNiuSHwFsA2JGZ4tgN3BIFuNdGhiG0lq4CXSh5p5GAhtSX+Y46+ 4VpdcmzxO0lVw3YBd0Y84yQ68XXhRMGzdmMAvz3wpsJmC2spFpRpRm/1GXm/wRRa mzECInkmsxLww9uotYIcONgxU5jo/FOZ/o7XHCraVNCxticDFTrkPs3PP1YKcjlT iEk6hA+Fmr5Px966udyflYUwNyz/Ut+damOrQEdkOmtqSA4WKg== -----END NEW CERTIFICATE REQUEST----- % Granted certificate: -----BEGIN CERTIFICATE----- MIICZTCCAc6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADANMQswCQYDVQQDEwJDQTAe Fw0xMDEwMDYxNDM5NDdaFw0xMTEwMDYxNDM5NDdaMBwxDTALBgNVBAsTBGtpbmcx CzAJBgNVBAMTAnIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02Ic XpqvDCqp2ASVtqwwI7F+ua6hY9jENvTGxk5hFcCoNYCvJw3B+lf9DWrZwUyzoI/8 6BYnNMNgn80goQSeb6xd+DO+VDmKtNvvUO42nGGW0JY1L91IYaPoFSYmUlvQmUI1 KW/YvCMQkfzKr0aeWMxDqKXF9R4LM9hcRmS4dkfq9rAOu33zIuMDWfjAWdzVvmy/ o7H3Ks7rICmmcRdD93Rga7ifFXBtU0L18Tyib6CN1ixcp+Yod4hc/UlEIJab0Sr0 RnITstwq0N/lf27Bmq7Ze2p5wXL/aNjAb3DNFS9lYinS3lL7eOfGAg/ITZPc+h+W Y2d9cDcND+6Fia0XTwIDAQABo0IwQDAfBgNVHSMEGDAWgBRzXnEYMcCNgYBcGXfB e2t5nKt04TAdBgNVHQ4EFgQUe30hVerDbDvhd6PhHUlXQrdRT/cwDQYJKoZIhvcN AQEEBQADgYEApT47F7wZEWsQM6KC+n3hGRgbNp2xN74Z4lFeLRmyZafgdtAYdwd1 +qALSueBbmCur4U/K3gXDEQKw0fJlsCkhq8g7cVL16e7BLZS7angxctJnxgcpgtx uYMosB39WG92sVMAUKS6J6DRFcOAebR9Ua0+7t3TrWt0Iem0q82+2E0= -----END CERTIFICATE----- Copy the granted cert and paste in the notepad. Save it and rename it with .cer extension. Double click to view to cert and see, if it is valid. Now install the cert to Microsoft cert store > personal folder by right clicking on cert file and clicking on Install. Now in the VPN client go to Certificates > Import > Import from Microsoft Store and select the cert that you installed above. It worked like a Gem. If the SCEP enrollment fails, don't panic just use the above method, it will work like GEM :-) With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
