Hi all,
is there a step-by-step guide to realize enrollment between PIX 6.2 and OpenCA 0.9.2rc3? Thanks to all
not that detailed - at the documentation there are all necessary steps the pix setup u take from cisco documentation
but i will provide a step by step guide around next week for setting up a cisco based environment with openca
based on pix 6.3 (but its the same steps for older software versions and the cisco vpn client for windows)
but in short - very basic: - install openca (like it fits your needs) have a look into openca-documentation how to do this ;o) - during initialisation steps of the ca just generate one more ra-certificate (role should be web-server) - this one you have to put somewhere inside the ra-file-space and set the paths (inlcuding filename of key and cert) at the scep section in .../etc/config.xml
but actually this should be also mentioned at the openca-documentation how to setup scep...
at the pix side you have to set as type ra not ca: then authenticate and the start the enrollment example: ca conf test ra 3 10
after the enrollment you will find a normal request at the ra you just process through your pki system...
when the final certificate is published at the ra, the pix will fetch it automatically if its inside the specified timeout (example above 30min)
bevor a client can connect you have to fetch the crl or for testing purposes you can give the "crloptional" paramter at the "ca conf" command (for details see cisco documentation, also how to fetch a crl manually)
if you enroll with ipaddress or serialnumber you have to provide the it in the subject alternative name as dns or ip and at the dn as requested (unstructuredAddress for example), openca supports the required certificate fields...
for the client-certificates you have to keep in mind, to setup the vpn-group names at the pix corresponding to an existing "ou" inside the certificates
so if you have a vpn-group named test - there must! be an ou field inside the client certificate which has a value of "test" otherwise the pix will not find any matching configuration and your client will not be able to establish a vpn-connection to the pix as vpn-gateway
at the pix you usally see then something like - it could not give an internal ip to the client, therefore kills the connection, since no matching vpn-group is found...
so phase 1 will work (verification of certificates), but phase 2 will usally die because of this common pitfall (but its mantioned at the pix documentation, but one can easily overread this ;o) and the error description is a bit irritating...
hope this helps for the moment
greetings dalini
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
