While testing out IPSEC with Microsoft as Certification Authority (CA), we encounter problems and “debug crypto isakmp” showed us a bunch of details. But one very particular message was “Unable to get router cert or routerdoes not have a cert: needed to find DN!“. After much googling, found out the hard way, that the Microsoft Certification Authority server require to manually issue the certificate requests. This can be set to automatically. You can verify this by issuing “show crypto pki trustpoint status” on the routers, you will see “Certificate request(s) ….. Pending”.
Head to the Microsoft Certification Authority server
1. Go to Start > Administrative Tools > Certification Authority
2. Right Click on the server name > Properties
3. Policy Module tab > Properties
4. Select “Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.”