No se puede generar el certificado SCEP . Error en la recuperación del certificado CA

No se puede generar el certificado SCEP . Error en la recuperación del certificado CA

2308
Created On 02/08/23 16:30 PM - Last Modified 10/10/25 01:52 AM


Symptom


  • Cuando falla, vemos una ventana emergente con el mensaje "No se puede generar el certificado SCEP . Error en la recuperación del certificado CA ".
  • En los registros de sslmgr con la depuración habilitada, vemos "/usr/bin/sscep: tipo de contenido MIME incorrecto (o faltante)"

Environment


  • PAN-OS
  • Cortafuegos y Panorama de Palo Alto Networks
  • Gestión de certificados
  • SCEP
  • Servidor de Windows

Cause


  • El problema se debió a que la autenticación anónima estaba deshabilitada en el Administrador de IIS 2023-02-08 10_24_15-Servidor2019-NUEVO-nbastola.png
  • Below is the flow when administrador de sslis on debug level 
    >tail follow yes mp-log sslmgr.log
2023-02-08 10:13:59.404 -0600 debug: cfgagent_opcmd_callback(pan_cfgagent.c:496): sslmgr: cfg agent received op command from server
2023-02-08 10:13:59.404 -0600 debug: cfgagent_doop_callback(pan_cfgagent.c:531): received signal to execute for agent: sslmgr
2023-02-08 10:13:59.413 -0600 debug: pan_scep_get_client_cert(pan_scep.c:401): Trying to create temporary directory /opt/pancfg/certificates/tmpXXXXXX
debug: pan_scep_get_challenge(pan_scep.c:163): Sending http get to scep server http://172.16.3.254/CertSrv/mscep_admin/mscep.dll
debug: pan_http_curl_get(pan_http_client.c:551): custom_header [Accept-Language: en-US]
debug: pan_http_curl_get(pan_http_client.c:556): add last header: [Accept-Language: en-US]
debug: pan_http_curl_get(pan_http_client.c:600): setting headers...
debug: pan_scep_get_challenge(pan_scep.c:211): Parsed Challenge 511BBA03219A96E1
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 007051000210668
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 1781276205
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is RSA
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is sha256
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 511BBA03219A96E1
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is http://172.16.3.254/CertSrv/mscep_admin/mscep.dll
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is E9026EAFA0212C7020E62085752EC8C7
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 1, str is CN=$USERNAME
debug: pan_scep_is_safe_string(pan_scep.c:58): Token $USERNAME exists in subject and the position is 3
debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is DC1-MSCEP-RA
debug: pan_scep_get_client_cert(pan_scep.c:471): Generating CSR from script.../usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "511BBA03219A96E1" -e "http://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmpT2xMwB" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "no" -t "DC1-MSCEP-RA"Generating a 2048 bit RSA private key
...............+++
......................................................................................................+++
writing new private key to '/opt/pancfg/certificates/tmpT2xMwB/dev.key'
-----
/usr/bin/sscep: wrong (or missing) MIME content type
/usr/bin/sscep: error while sending message
Error:  pan_scep_get_client_cert(pan_scep.c:473): cmd (/usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "511BBA03219A96E1" -e "http://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmpT2xMwB" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "no" -t "DC1-MSCEP-RA") failed
Error:  sslmgr_scep_generate_client_cert(sslmgr_scep.c:521): pan_scep_get_client_cert() failed
Error:  cfgagent_doop_callback(pan_cfgagent.c:581): Failed to handle op command for agent:

Resolution


  • Habilite la autenticación anónima como se muestra a continuación 2023-02-08 10_28_45-Servidor2019-NUEVO-nbastola.png

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGrOCAU&lang=es&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language