Having problems configuring the Microsoft CA for giving certificates to a
PIX.
I am trying to configure microsoft CA Certificate Server with the PIX, and I
am unable to obtain the CA or RA certificate, so, the certificate request
fails.
I have followed the instructions I found in the Instutor site, but it
doesn't work for me.
First, I installed the CA in standalone mode, and gave a certificate to it.
Later I took the cepsetup.exe from the Windows 2000 resource toolkit and
intalled SCEP support for Microsoft CA. I was requested to enter the
information for a RA certificate, so I did. After reseting, of course, I
typed the following commands from the pix:
clock set "current time, the same as in the CA"
ip domain-name example.com
ip hostname pix
ca generate rsa key 512
ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll
ca configure alexnap ra 1 5 crloptional
and NOW.....
when I type ca authenticate alexnap I obtanin the following
sanjose(config)# ca authenticate alexnap
C
IC trhryeadp tsol eCeAp st!hread wakes up!
CRYPTO_PKI: http connection opened
PKI: key process suspended and continued
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while
selecting
certificate status
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while
selecting
certificate status
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: status = 0: failed to get ca name from cert
CRYPTO_PKI: can not set ra public key
CRYPTO_PKI: status = 0: failed to get ca name from cert
CRYPTO_PKI: can not set ra public key
CRYPTO_PKI: transaction GetCACert completed
Certificate has the following attributes:
Fingerprint: 8698efea 67ec44a8 5c3abb18 a3b3da54
CRYPTO_PKI: status = 0: failed to get ca name from cert
CRYPTO_PKI: can not set ra public key
CRYPTO_PKI: status = 0: failed to get ca name from cert
CRYPTO_PKI: can not set ra public key
Crypto CA thread sleeps!
CI thread wakes
INDICATING ME THAT THE RA AND CA PUBLIC KEYS COULD NOT BE SET.
NOW WHEN I REQUEST A CERTIFICATE..........I OBTAIN THE FOLLOWING MESSAGE
FROM THE DEBUG CRYPTO CA..
sanjose(config)# CA ENROLL ALEXNAP CISCO
%
C%r Sytaprtto cCeAr titfihcraetaed enroll mweankt ..
% Thee subject names in utphe ce!rtificate will be:
sanjose.softneteurope.com
CI thread sleeps!
CI thread wakes up!% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
sanjose(config)#
sanjose(config)#
sanjose(config)#
CRYPTO_PKI: transaction PKCSReq completed
CRYPTO_PKI: status:
Crypto CA thread sleeps!
CRYPTO_PKI: status = 0: failed to select RA encrypt cert
CRYPTO_PKI: status = 65535: failed to set up peer auth context
CRYPTO_PKI: status = 65535: fail to send out pkcsreq
CRYPTO__PKI: All sockets are closed.
WHAT IS GOING ON HERE, ANY HELP, OR SHOULD WE CHANGE THE CA OR SHOULD WE
CONSTRUCT THE VPN WITH WINDOWS 2000 ( A SHAME)
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
