Cisco 9800 Wireless 2025 – SCEP enrollment From DMZ to Internal Network

Verify that the DMZ-9800 does not have an organizational certificate.


Enroll the DMZ-9800 without the firewall rule(s) in place.

1. Define aand Key Pair and Trust Point

crypto key generate rsa general-keys modu 2048 label 9800DMZ-2-HTTPS-KEYPAIR exportable
!
crypto pki trustpoint 9800DMZ-2-HTTPS-TRUSTPOINT
 enrollment retry count 100
 enrollment retry period 60
 enrollment mode ra
 enrollment url http://10.0.206.22:80/certsrv/mscep/mscep.dll
 serial-number none
 ip-address none
 fqdn 9800DMZ-2.netprojekralac.com
 subject-name CN=9800DMZ-2.netprojekralac.com,OU=Router SCEP,O=NETPROJEKRALAC LLC ,ST=NY,C=US
 revocation-check none
 rsakeypair 9800DMZ-2-HTTPS-KEYPAIR  
 auto-enroll 30 regenerate

2. Download the CA’s root certificate
 
 crypto pki authenticate 9800DMZ-2-HTTPS-TRUSTPOINT

Note: The SCEP request will fail because the traffic is being denied.


Allow the traffic through the firewall

Continue the certificate enrollment

3. Verify cert download 

do show crypto pki certificates

4. Enroll the certificate

 crypto pki enroll 9800DMZ-2-HTTPS-TRUSTPOINT
 do show crypto pki certificate verbose 9800DMZ-2-HTTPS-TRUSTPOINT

5. Assign the trust point

 ip http secure-trustpoint 9800DMZ-2-HTTPS-TRUSTPOINT

6. Access the device from the GUI using its FQDN

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.