Hello Alejandro,
I have never seen what you have described, but I have gotten this to
work and here's a couple things I remember I had to do:
1) Cisco recommends at least ver 5.2(x) -- I was unable to get VPN
clients AND the PIX to work together with version 5.1(2) (although
they could both get RA certificates from the CA Server)
2) When installing the MS CA server, select Advanced options and make
sure the keys are 512. Same for the MSCEP RA setup.
3) For MSCEP and setting up the RA, I filled in the fields with
the exact same information I filled in the CA fields with.
4) Make sure you can view http://10.0.0.2:/certsrv/mscep/mscep.dll
from your web browser, and even make sure the fingerprint it shows is
the fingerprint you get in your debugs:8698efea 67ec44a8 5c3abb18 a3b3da54
Those are just a few things I can think of right now...
Jeff
Friday, March 02, 2001, 6:44:17 AM, you wrote:
AN> Having problems configuring the Microsoft CA for giving certificates to a
AN> PIX.
AN> I am trying to configure microsoft CA Certificate Server with the PIX, and I
AN> am unable to obtain the CA or RA certificate, so, the certificate request
AN> fails.
AN> I have followed the instructions I found in the Instutor site, but it
AN> doesn't work for me.
AN> First, I installed the CA in standalone mode, and gave a certificate to it.
AN> Later I took the cepsetup.exe from the Windows 2000 resource toolkit and
AN> intalled SCEP support for Microsoft CA. I was requested to enter the
AN> information for a RA certificate, so I did. After reseting, of course, I
AN> typed the following commands from the pix:
AN> clock set "current time, the same as in the CA"
AN> ip domain-name example.com
AN> ip hostname pix
AN> ca generate rsa key 512
AN> ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll
AN> ca configure alexnap ra 1 5 crloptional
AN> and NOW.....
AN> when I type ca authenticate alexnap I obtanin the following
AN> sanjose(config)# ca authenticate alexnap
AN> C
AN> IC trhryeadp tsol eCeAp st!hread wakes up!
AN> CRYPTO_PKI: http connection opened
AN> PKI: key process suspended and continued
AN> CRYPTO_PKI: WARNING: A certificate chain could not be constructed while
AN> selecting
AN> certificate status
AN> CRYPTO_PKI: Can not get name ava count
AN> CRYPTO_PKI: can not decode router sub name.
AN> CRYPTO_PKI: Can not get name ava count
AN> CRYPTO_PKI: can not decode router sub name.
AN> CRYPTO_PKI: Can not get name ava count
AN> CRYPTO_PKI: can not decode router sub name.
AN> CRYPTO_PKI: WARNING: A certificate chain could not be constructed while
AN> selecting
AN> certificate status
AN> CRYPTO_PKI: Can not get name ava count
AN> CRYPTO_PKI: can not decode router sub name.
AN> CRYPTO_PKI: Can not get name ava count
AN> CRYPTO_PKI: can not decode router sub name.
AN> CRYPTO_PKI: Can not get name ava count
AN> CRYPTO_PKI: can not decode router sub name.
AN> CRYPTO_PKI: status = 0: failed to get ca name from cert
AN> CRYPTO_PKI: can not set ra public key
AN> CRYPTO_PKI: status = 0: failed to get ca name from cert
AN> CRYPTO_PKI: can not set ra public key
AN> CRYPTO_PKI: transaction GetCACert completed
AN> Certificate has the following attributes:
AN> Fingerprint: 8698efea 67ec44a8 5c3abb18 a3b3da54
AN> CRYPTO_PKI: status = 0: failed to get ca name from cert
AN> CRYPTO_PKI: can not set ra public key
AN> CRYPTO_PKI: status = 0: failed to get ca name from cert
AN> CRYPTO_PKI: can not set ra public key
AN> Crypto CA thread sleeps!
AN> CI thread wakes
AN> INDICATING ME THAT THE RA AND CA PUBLIC KEYS COULD NOT BE SET.
AN> NOW WHEN I REQUEST A CERTIFICATE..........I OBTAIN THE FOLLOWING MESSAGE
AN> FROM THE DEBUG CRYPTO CA..
AN> sanjose(config)# CA ENROLL ALEXNAP CISCO
AN> %
AN> C%r Sytaprtto cCeAr titfihcraetaed enroll mweankt ..
AN> % Thee subject names in utphe ce!rtificate will be:
AN> sanjose.softneteurope.com
AN> CI thread sleeps!
AN> CI thread wakes up!% Certificate request sent to Certificate Authority
AN> % The certificate request fingerprint will be displayed.
AN> sanjose(config)#
AN> sanjose(config)#
AN> sanjose(config)#
AN> CRYPTO_PKI: transaction PKCSReq completed
AN> CRYPTO_PKI: status:
AN> Crypto CA thread sleeps!
AN> CRYPTO_PKI: status = 0: failed to select RA encrypt cert
AN> CRYPTO_PKI: status = 65535: failed to set up peer auth context
AN> CRYPTO_PKI: status = 65535: fail to send out pkcsreq
AN> CRYPTO__PKI: All sockets are closed.
AN> WHAT IS GOING ON HERE, ANY HELP, OR SHOULD WE CHANGE THE CA OR SHOULD WE
AN> CONSTRUCT THE VPN WITH WINDOWS 2000 ( A SHAME)
AN> _________________________________
AN> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
AN> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
