Meraki

Community

SCEP Certificate missing required extensions

eh_cve_cc
Conversationalist
‎Jul 6 2023 12:28 PM
‎Jul 6 2023 12:28 PM

SCEP Certificate missing required extensions

Hello,

 

I tried renewing our SCEP cert with our Windows certification authority and it will not upload due to error "SCEP Certificate missing required extensions". We dont use OPENSSL for our CA so the instructions and help article do not help... What are the required extensions??

Labels:
0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 6 2023 5:05 PM
‎Jul 6 2023 5:05 PM

What in Meraki land are you using SCEP for?

 

If you open the Certificate Template in Microsoft CA server - what are listed as the required extensions?

0 Kudos
In response to PhilipDAth
eh_cve_cc
Conversationalist
‎Jul 10 2023 2:24 PM
‎Jul 10 2023 2:24 PM

I would guess for Wi-Fi security and authentication, but I am not sure why we are using that. Since it would make the Meraki portal a subordinate CA, i believe it would use the subordinate CA template. That one I have set to only require a common name. Systems manager has a new requirement that an additional file is icreated when the cert is generated. I created a template that has these extra settings but still no luck with the cert.

 

Where `configuration_file.ext` contains the following extension value pairs:

basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,digitalSignature
0 Kudos
grgibbs
Conversationalist
‎Jan 24 2024 4:24 PM
‎Jan 24 2024 4:24 PM

I'm having the same issue trying to update my expired SCEP certificate. I've tried using the built-in SubCA template in ADCS as well as created new templates, but I cannot seem to get the Meraki Dashboard to accept anything signed by ADCS.

Here are the basic constraints and key usage settings in my SubCA template.
Screenshot 2024-01-25 at 11.17.31 am.pngScreenshot 2024-01-25 at 11.17.39 am.png

 

And the resulting signed certificate from the Meraki CSR:

Screenshot 2024-01-25 at 11.19.35 am.png

 

Screenshot 2024-01-25 at 11.19.54 am.png

Screenshot 2024-01-25 at 11.20.10 am.png

Has anyone been able to get this working with the newer requirements and ADCS?

0 Kudos
grgibbs
Conversationalist
‎Jan 28 2024 10:22 PM
‎Jan 28 2024 10:22 PM

Okay, I was able to use the following workaround in my lab environment to update the SCEP certificate.

 

Using OpenSSL to sign the certificate is not ideal as that certificate would live outside of the control and knowledge of ADCS.

 

However, since this is just a lab environment, I was able to use the following option to extract the Root CA cert and key from my ADCS in p12 format.

https://support.citrix.com/article/CTX224970/how-to-export-internal-root-ca-with-private-key-from-mi...

 

I was then able to use the openssl commands in this document to extract the certificate and key in PEM format and then use OpenSSL to sign the Meraki SCEP cert.

https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl/

 

I doubt this option would be acceptable for a customer Production environment, but it works for my lab setup.

In response to grgibbs
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 29 2024 11:03 AM
‎Jan 29 2024 11:03 AM

Well done.  Clever work around.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.