CSR on Autonomous APs – lessons learned

In this blog post i’ll share with you a resolution of an issue i was stumbling across, which cost me a full working day, hopefully this will spare you some troubleshooting time.

The Scenario 

While building a setup consist of a Cisco 3702 AP in Workgroup bridge (WGB) mode. The WGB need to connect to lightweight AP which already joined a controller and should authenticate to ISE using EAP-TLS (client certificate).

the certificate authority (CA) includes a Windows 2016 server PKI structure with 2 CA servers, the root CA called K3 and the subordinate intermediate CA called K4. the goal is generating the certificate signing request (CSR) on the AP itself without using any external tool like OpenSSL.

First try

Generated the CSR in the AP and signed it using a user template in the web enrollment tool of the CA.

wgb-01(config)#CRYpto pki enroll WGB-TLS
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=wgb-01
% The subject name in the certificate will include: wgb-01.lab.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FGL1864XD94
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no

 Issue 1

despite the fact in the CSR a CN=WGB-01 is defined in the subject name, after signing the certificate i found out it was signed to the administrator user, which the user used for login to the CA web enrolment tool. this for sure doesn’t fit the design.

Second try

reviewing the certificate template on the CA server revealed the source of this behavior. the template instruct the CA to use the AD user information.

immediately after finding my mistake, i replicated the user template, this time changing the way to choose the subject name for the certificate.

another important piece of information in this template is the encryption key size, which is set to 2048. taking this as granted had cost me the majority of time troubleshooting issue 2, and I’ll explain. 

 Issue 2

back to the beginign and repeating the same process and paste the hash key of the CSR was aquired earlier from the AP, this time the CA web enrollment tool rejected the file with error message:

Your Request Id is 21. The disposition message is "Denied by Policy Module".

oughhh what a nightmare, just when i though got it all! just to be clear i spend almost 5 hours trying to read Microsoft articles and blogs regarding this issue without finding a cure, just when i was really frustrated one blog article suggested to check the CRL and match the encryption key size on the machine that generated the CSR file. 

wait a minute, sure, this is a Cisco AP version 15.3(3)JD4 now can it be this AP generate a 1024bit key CSR by default? sure it is.


changing the CSR key size in Cisco AP is how was this issue fixed, commands:

wgb-01(config)#crypto pki trustpoint WGB-TLS
wgb-01(ca-trustpoint)#rsakeypair wgb-01 2048

i’m all hope this post will find it’s way to help someone and spare him a hassle of reading Microsoft server blogs 🙂

please help me to improve writing by feedback!