
Verify that the DMZ-9800 does not have an organizational certificate.

Enroll the DMZ-9800 without the firewall rule(s) in place.
1. Define aand Key Pair and Trust Point
crypto key generate rsa general-keys modu 2048 label 9800DMZ-2-HTTPS-KEYPAIR exportable
!
crypto pki trustpoint 9800DMZ-2-HTTPS-TRUSTPOINT
enrollment retry count 100
enrollment retry period 60
enrollment mode ra
enrollment url http://10.0.206.22:80/certsrv/mscep/mscep.dll
serial-number none
ip-address none
fqdn 9800DMZ-2.netprojekralac.com
subject-name CN=9800DMZ-2.netprojekralac.com,OU=Router SCEP,O=NETPROJEKRALAC LLC ,ST=NY,C=US
revocation-check none
rsakeypair 9800DMZ-2-HTTPS-KEYPAIR
auto-enroll 30 regenerate
2. Download the CA’s root certificate
crypto pki authenticate 9800DMZ-2-HTTPS-TRUSTPOINT
Note: The SCEP request will fail because the traffic is being denied.



Allow the traffic through the firewall



Continue the certificate enrollment
3. Verify cert download
do show crypto pki certificates

4. Enroll the certificate
crypto pki enroll 9800DMZ-2-HTTPS-TRUSTPOINT

do show crypto pki certificate verbose 9800DMZ-2-HTTPS-TRUSTPOINT

5. Assign the trust point
ip http secure-trustpoint 9800DMZ-2-HTTPS-TRUSTPOINT
6. Access the device from the GUI using its FQDN


