[Openca-Users] SCEP and PIX Firewall

Mon, 22 Mar 2004 08:54:33 -0800 

Hi to all,

i ran into a big problem while trying to enroll a certificate request from PIX FW to 
OpenCA 0.9.2RC3. CA and RA are installed at the same machine, the initialisation 
process ran through without any errors. The data exchange configuration part is set to 
"6 --> Act as CA and RA". After the initialisation i created another "Initial RA 
Certificate" with type web-server. 
After that i downloaded the pem-formatted certificate and key and installed it in the 
path <OPENCADIR>/var/crypt/certs. Then i configured my scep.conf to look at these 
files.
The next step i did was to configure my PIX firewall (Vers. 6.3.3). The following 
commands have been entered:

1. ca generate rsa key 1024
2. ca identity <ca-nickname> <IP-ADDRESS of OpenCA-Server>/cgi-bin/scep
3. ca configure <ca-nickname> ra 2 20 crloptional
4. ca authenticate <ca-nickname> 

Then follows this output:

CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting 
certificate status
pix(config)#
CRYPTO_PKI: Name: Serial Number = 9, CN = xxx.xxx.xxx, OU = <ca-nickname>, O = 
<company>, C = de
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: Name: Serial Number = 9, CN = xxx.xxx.xxx, OU = <ca-nickname>, O = 
company, C = de
Crypto CA thread sleeps!
CI thread wakes up!

After a few seconds the command "show ca cert" shows the CA Certificate and the 
initial RA Certificate.

5. ca enroll <ca-nickname> <enroll-password>

This output follows:

% Start certificate enrollment ..

% The subject name in the certificate will be: xxx.xxx.xxx

CI thread sleeps!
Crypto CA thread wakes up!
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
pix(config)#
CI thread wakes up!
CRYPTO_PKI: transaction PKCSReq completed
CRYPTO_PKI: status:
Crypto CA thread sleeps!
CRYPTO_PKI: http connection opened
CRYPTO_PKI:  received msg of 2054 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 81 a8 62 74 f5 0d 52 16 5a c0 d1 40 16 d4 ad 68
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 64 63 34 37 36 33 66 64 39 39 64 37 63 34 61 63 32 34
38 35 61 39 38 35 66 34 38 34 65 30 38 37
CRYPTO_PKI: status = 102: certificate request pending
CRYPTO_PKI: http connection opened
CRYPTO_PKI:  received msg of 2054 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 87 e9 6a 3e d0 16 d5 26 bb 4d 39 54 2a 9e 3c dd
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 64 63 34 37 36 33 66 64 39 39 64 37 63 34 61 63 32 34
38 35 61 39 38 35 66 34 38 34 65 30 38 37
CRYPTO_PKI: status = 102: certificate request pending
CRYPTO_PKI: All enrollment requests completed.
Insert Selfsigned Certificate:
30 82 02 4c 30 82 01 b5 02 20 64 63 34 37 36 33 66 64 39 39
64 37 63 34 61 63 32 34 38 35 61 39 38 35 66 34 38 34 65 30
38 37 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 5f 31
5d 30 0f 06 03 55 04 05 13 08 33 30 32 30 64 66 64 61 30 21
06 03 55 04 03 13 1a 70 69 78 68 75 72 2e 68 61 6e 73 65 6e
2d 72 6f 73 65 6e 74 68 61 6c 2e 64 65 30 27 06 09 2a 86 48

>From now on the request can be seen in OpenCA with following DN:

unstructuredName=xxx.xxx.xxx+CN=xxx.xxx.xxx
with the requested role VPN-Server, whereby xxx.xxx.xxx is the full qualified domain 
name of the pix.

If i try to issue the certificate with the given request following error encounters:

Error 6761
General Error. Error while issuing Certificate to (filename: 
/usr/local/openca/var/tmp/0C.req). 


OpenCA::OpenSSL returns errocode 7731075 (OpenCA::OpenSSL->issueCert: OpenSSL fails 
(256). )..

Has anybody an idea what went wrong with this enrollment. Why can't  the pix construct 
a certificate chain? 

Thanks to all!!

mfG

Bernd Probst
Econtec GmbH
Spittlertorgraben 13
90429 N�rnberg

Office Phone: +49-911-929968-33
e-Mail:           [EMAIL PROTECTED]
Internet:          www.econtec.de




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to