Hi dalini, thanks for your answers!
> Bernd Probst wrote: > > > Has anybody an idea what went wrong with this enrollment. Why can't > > the pix construct a certificate chain? > > > i would say - nothing went actually wrong > the chain warning will occur it the ra cert is first one in the pkcs#7 > file - so when it gets installed at the pix - the self-signed-ca-cert > isn't known - so there can't be a verification > > i will have a look at the code which builds the pkcs#7 file, in which > order the certs get added to it... > > but if you can see the certs - than the pix has installed them, and > usally they are marked as active - so they are usable The certs are marked as active, but i can see no serial number at the ca certificate in the pix. Is this correct?? > > it could also be possible, since no fingerprint is provided, that the > pix doesn't know - if it can trust the selfsigned ca-cert, this warning > usally only is shown in debugging modus - so i think the first reason > may be the source for this warning > > -------- > > so with the enrollment itself anythings seemes to be ok so far, till > this openssl error, because the pix gets the expected pending answer > through scep - which also shown in your debigging informations > > so there is just some problem with issuing the certificate at the ca > > > If i try to issue the certificate with the given request following > > error encounters: > > Error 6761 > > General Error. Error while issuing Certificate to (filename: > > /usr/local/openca/var/tmp/0C.req). > > OpenCA::OpenSSL returns errocode 7731075 (OpenCA::OpenSSL->issueCert: > > OpenSSL fails (256). ).. > > this lookes like an configuration error inside the openssl config files > means the extfiles or the openssl files itself - see the subdirectories > below .../etc/openssl/ either openssl or extfiles > > so - some questions arise at this point: > which role did you assign to the certificate? usaly it should be > vpn-gateway (or something own?) > The cert role is assigned to as vpn-server. > did you edit the request somehow before trying to issue the certificate? > usally it is a good idea to set the dns and/or the ip adress at the > subject-alternative-name of the cert as to adapt the dn if needed to > meet some organisational preferences like extra ou and so on... I tried to edit the request with the correct DN. Then OpenCA was able to issue the certificate, but nevertheless the PIX was not able to show this certificate with "show ca cert". But the pending request (Pending 102) at PIX trace was changed to granted (Granted 100). I thought this is it. But NO!!! The PIX shows only the ra and the ca certificate !!! Has anyone an idea what went wrong ??? Thanx in advance!! Bernd > > greetings > dalini > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Openca-Users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
