[c-nsp] Cisco IOS certificate enroll with Microsoft CA

[Hughes, Scott GRE-MG]

I'm trying to get a Cisco IOS router to enroll with a Windows 2008 R2-based CA. I'm partially successful.

What I'd like to do:
1. Router enrolls via SCEP, no challenge password required.
2. Certificate goes into "pending" status and approved by a certificate manager
3. Router can automatically renew this certificate via SCEP. Renewal does not require certificate manager approval.

I've read the Cisco docs, which are vague about details. I have #1 and #2 working, above. My problem is the renewal requests go into "pending" status.

In my certificate template on the 2008 server side, I have the checkbox "Require Valid Existing Certificate" for reenrollment. (see attachment)

Has anyone gotten this working? Is it possible?

I've set the HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\DisableRenewalSubjectNameMatch to 1 on the CA as indicated in http://support.microsoft.com/kb/959193/en-us to no avail.

Router config:

crypto pki trustpoint TEST-SERVER
 enrollment retry count 100
 enrollment retry period 2
 enrollment mode ra
 enrollment url http://x.x.x.x:80/certsrv/mscep/mscep.dll
 usage ike
 serial-number
 vrf GRE-RA
 revocation-check crl
 rsakeypair TEST-SERVER 1024 1024
 auto-enroll 70 regenerate





NOTICE TO RECIPIENT: The information contained in this message from
Great River Energy and any attachments are confidential and intended
only for the named recipient(s). If you have received this message in 
error, you are prohibited from copying, distributing or using the
information. Please contact the sender immediately by return email and
delete the original message.