Symptom

This Enhancement request is to let third part CA to be Root certificate server. as per the document below it is not supported: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-cfg-mng-cert-serv.html?bookSearch=true#GUID-0C08AAC2-D4EB-4113-B921-DDF7E13E2358 it is only supported to have IOS-XE as root ca server. it will show something like: "Router cert issues mismatch" tried manual enroll, but it is not helping: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/211333-IOS-PKI-Deployment-Guide-Initial-Design.html#anc37 showing the same error.

Conditions

using third party ca as root ca certificate server.

Workaround

as a workaround you can leave the third party CA server, but you have to adjust the parameters: https://www.rfc-editor.org/rfc/rfc3280.html#page-94

Further Problem Description