Cisco

Trouble getting a certificate on the router?

Colleagues, good day. A strange situation has arisen. There is cisco 881. Firmware c880data-universalk9-mz.151-4.M1.bin. It has a Windows Certificate Authority (SCEP) configured on it.

crypto pki trustpoint RootCA
 enrollment mode ra
 enrollment url http://192.168.1.1:80/certsrv/mscep/mscep.dll
 usage ike
 usage ssl-server
 usage ssl-client
 serial-number none
 ip-address none
 subject-name CN=my,OU=it,O=ru
 crl query ldap://192.168.1.2
 revocation-check crl
 auto-enroll

I do crypto pki authenticate RootCA, the certificate is obtained and installed.
further crypto pki enroll RootCA, I enter the password with SCEP, I get

%PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority

On SA at this time, an error flies

the signature of the certificate cannot be verified 0x80096004(-2146869244)

while next to it is 2811 with firmware c2900-universalk9-mz.SPA.152-4.M1.bin, the certificate is received without problems. CA config on 881 is completely copied from a working 2811.
Certutil –setreg CA\csp\AlternateSignatureAlgorithm 0 did, did not help. What could be the problem and how to overcome it?