Unable to generate SCEP certificate, Certificate CA Retrieval Failed

Unable to generate SCEP certificate, Certificate CA Retrieval Failed

2334
Created On 02/08/23 16:30 PM - Last Modified 10/10/25 01:52 AM


Symptom


  • SCEP certificate generation fails with error message "Unable to generate SCEP certificate, Certificate CA Retrieval Failed". 
  • debug-level sslmgr logs report "/usr/bin/sscep: wrong (or missing) MIME content type". 

Environment


  • Palo Alto Networks Firewall and Panorama
  • Supported PAN-OS
  • Certificate management
  • SCEP 
  • Windows Server

Cause


  • Issue is due to the Anonymous Authentication being disabled on IIS Manager. 

         

  • Below is the flow when sslmgr is on debug level 
    >tail follow yes mp-log sslmgr.log
2023-02-08 10:13:59.404 -0600 debug: cfgagent_opcmd_callback(pan_cfgagent.c:496): sslmgr: cfg agent received op command from server
2023-02-08 10:13:59.404 -0600 debug: cfgagent_doop_callback(pan_cfgagent.c:531): received signal to execute for agent: sslmgr
2023-02-08 10:13:59.413 -0600 debug: pan_scep_get_client_cert(pan_scep.c:401): Trying to create temporary directory /opt/pancfg/certificates/tmpXXXXXX
debug: pan_scep_get_challenge(pan_scep.c:163): Sending http get to scep server http://172.16.3.254/CertSrv/mscep_admin/mscep.dll
debug: pan_http_curl_get(pan_http_client.c:551): custom_header [Accept-Language: en-US]
debug: pan_http_curl_get(pan_http_client.c:556): add last header: [Accept-Language: en-US]
debug: pan_http_curl_get(pan_http_client.c:600): setting headers...
debug: pan_scep_get_challenge(pan_scep.c:211): Parsed Challenge 511BBA03219A96E1
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 007051000210668
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 1781276205
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is RSA
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is sha256
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 511BBA03219A96E1
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is http://172.16.3.254/CertSrv/mscep_admin/mscep.dll
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is E9026EAFA0212C7020E62085752EC8C7
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 1, str is CN=$USERNAME
debug: pan_scep_is_safe_string(pan_scep.c:58): Token $USERNAME exists in subject and the position is 3
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is DC1-MSCEP-RA
debug: pan_scep_get_client_cert(pan_scep.c:471): Generating CSR from script.../usr/local/bin/pangenscepcert.sh -s 
    "007051000210668".......(output omitted)
.....................................................................................................................
writing new private key to '/opt/pancfg/certificates/tmpT2xMwB/dev.key'
-----
/usr/bin/sscep: wrong (or missing) MIME content type
/usr/bin/sscep: error while sending message
Error:  pan_scep_get_client_cert(pan_scep.c:473): cmd (/usr/local/bin/pangenscepcert.sh -s "007051000210668" .....
Error:  sslmgr_scep_generate_client_cert(sslmgr_scep.c:521): pan_scep_get_client_cert() failed
Error:  cfgagent_doop_callback(pan_cfgagent.c:581): Failed to handle op command for agent:
     

Resolution


Enable the Anonymous Authentication as shown below

Additional Information


How to configure Simple Certificate Enrollment Protocol (SCEP) on Palo Alto Network Firewall/Panorama
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGrOCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language