I see the issued certificate has got some of the X.509 extensions. As I told you on the phone yesterday there were some recommendations concerning those extensions and Cisco. Now I found the posting again:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg04641.html
Regards T.o.Michael
Jörg Bartz wrote:
Hi there,
I have the following problem:
I use OpenCA-9.2RC3 with openssl9.7d(patched)/9.8 (see below). I am able to issue certificates for Webservers as well as fro Users...
But when I try to get it running with a cisco pix 501 I encounter the following:
I am able to configure and authenticate the CA and can get the CRL. When I try to enroll a certificate, this works as well, I can see, edit and issue it. Whilst this, the request is shown as "pending" on the pix, but after issueing the certificate, the pix seems to download it, and afterwards the pending request is gone, but the pix debug information says "certificate is granted"...
Please find any additional information in the text below, there you will find the ca debug log of the pix, as well as the CSR before and after editing it and the issued certificate.
This Problem is the same issue as Bernd Probst mentioned in March (see this post: http://www.mail-archive.com/[EMAIL PROTECTED]/msg04684.html) - but somehow I lost track or a solution to his problem has never been posted (or found).
Regarding to Michaels suggestion in the posting above I installed the latest snap of openssl 9.8 and compiled & installed it in a different directory than the systems openssl 9.7d (with patch for pcks7) and changed the paths in token.xml to fit the localtion of openssl 9.8 - but the problem persists.
Has anyone this config up and running and/or ist there a solution / or hint to the Problem? Micheal Portz pointed me towards that it could have something to do with the VPN-Server profile but I didn't find any further information on this!
Thanks in advance!
Jörg Bartz
Some information that might help:
============== PIX "show ca certificate" after enrollment:
RA General purpose Certificate
Status: Available
Certificate Serial Number: 03
Key Usage: General Purpose
Serial Number = 3
CN = ComNet RA
OU = Trustcenter
O = ComNet GmbH
C = DE
Validity Date: start date: 12:28:52 CEDT Apr 30 2004
end date: 12:28:52 CEDT Apr 30 2005
CA Certificate
Status: Available
Certificate Serial Number: No serial number avaliable
Key Usage: Signature
EA =<16> [EMAIL PROTECTED]
CN = ComNet Certification Authority
OU = Trustcenter
O = ComNet GmbH
C = DE
Validity Date: start date: 11:58:56 CEDT Apr 30 2004
end date: 11:58:56 CEDT Apr 30 2006
Certificate Subject Name Name: pix.*mydomain*.de Status: Pending Key Usage: General Purpose Fingerprint: a519b3d2 3307d005 80ff0e08 ddc14015
============== PIX debug Logfile for enrollment / retransmission:
CI thread sleeps! Crypto CA thread wakes up! CI thread wakes up! CRYPTO_PKI: Name: Serial Number = 3, CN = ComNet RA, OU = Trustcenter, O = ComNet GmbH, C = DE CRYPTO_PKI: Name: EA =<16> [EMAIL PROTECTED], CN = ComNet Certification Authority, OU = Trustcenter, O = ComNet GmbH, C = DE CRYPTO_PKI: transaction PKCSReq completed CRYPTO_PKI: status: Crypto CA thread sleeps! CRYPTO_PKI: http connection opened CRYPTO_PKI: received msg of 2462 bytes CRYPTO_PKI: signed attr: pki-message-type: 13 01 33 CRYPTO_PKI: signed attr: pki-status: 13 01 33 CRYPTO_PKI: signed attr: pki-recipient-nonce: 04 10 a7 70 09 5a 6a e9 90 20 7e 81 f8 31 e3 38 7c 95 CRYPTO_PKI: signed attr: pki-transaction-id: 13 20 33 37 39 32 31 63 30 39 64 35 65 38 33 34 34 36 62 30 39 66 35 32 38 62 34 61 65 62 64 32 30 38 CRYPTO_PKI: status = 102: certificate request pending CRYPTO_PKI: http connection opened CRYPTO_PKI: received msg of 4115 bytes CRYPTO_PKI: signed attr: pki-message-type: 13 01 33 CRYPTO_PKI: signed attr: pki-status: 13 01 30 CRYPTO_PKI: signed attr: pki-recipient-nonce: 04 10 f4 36 78 30 25 92 11 7f 0a 95 60 fc 2b 3c f4 5c CRYPTO_PKI: signed attr: pki-transaction-id: 13 20 33 37 39 32 31 63 30 39 64 35 65 38 33 34 34 36 62 30 39 66 35 32 38 62 34 61 65 62 64 32 30 38 CRYPTO_PKI: status = 100: certificate is granted CRYPTO_PKI: All enrollment requests completed. CRYPTO_PKI: All enrollment requests completed.
============== PIX "show ca certificate" after retransmission:
RA General purpose Certificate
Status: Available
Certificate Serial Number: 03
Key Usage: General Purpose
Serial Number = 3
CN = ComNet RA
OU = Trustcenter
O = ComNet GmbH
C = DE
Validity Date: start date: 12:28:52 CEDT Apr 30 2004
end date: 12:28:52 CEDT Apr 30 2005
CA Certificate
Status: Available
Certificate Serial Number: No serial number avaliable
Key Usage: Signature
EA =<16> [EMAIL PROTECTED]
CN = ComNet Certification Authority
OU = Trustcenter
O = ComNet GmbH
C = DE
Validity Date: start date: 11:58:56 CEDT Apr 30 2004
end date: 11:58:56 CEDT Apr 30 2006
============== OpenCA ca_token debug:
OpenCA::Token::OpenSSL->new: class instantiated<br> OpenCA::Token::OpenSSL->new: crypto and name present<br> OpenCA::Token::OpenSSL->new: NAME CA<br> OpenCA::Token::OpenSSL->new: PASSWD_PARTS 1<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getReqAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getCertAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getNumericDate<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::setParams<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::issueCert<br> Using configuration from /usr/local/OpenCA/OpenCA/etc/openssl/openssl/VPN_Server.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows serialNumber :PRINTABLE:'12' Certificate is to be certified until May 4 09:27:43 2005 GMT (365 days)
Write out database with 1 new entries Data Base Updated OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getCertAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getCertAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::sign<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getCertAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getCertAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getPIN<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getDigest<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getSMIME<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::sign<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getCertAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getCertAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getReqAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::getReqAttribute<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::dataConvert<br> OpenCA::Token::OpenSSL->OpenCA::Token::OpenSSL: AUTOLOAD => OpenCA::Token::OpenSSL::DESTROY<br>
============== CSR received by OpenCA:
Request Version 0 (0x0) Serial Number 7713 Common Name n/a E-Mail n/a Subject Alternative Name n/a Role VPN Server LOA Distinguished Name serialNumber=cert's serial,unstructuredName=pix.*mydomain*.de+ Submitted on Tue May 4 09:22:15 2004 GMT Approved on n/a Used Identification PIN n/a Modulus (key size) 1024 Public Key Algorithm rsaEncryption Public Key Modulus (1024 bit):
00:dc:96:3b:c0:2b:d7:8b:fc:a3:ef:b6:23:d8:74:
2c:47:49:fa:b1:bb:22:30:23:44:aa:fe:48:37:83:
7b:8e:3e:d4:8a:c4:5c:9f:a7:cf:0f:34:1b:8e:f4:
b9:e0:62:f2:5e:8f:3a:f6:bf:5e:49:da:11:b1:5d:
6c:11:93:89:90:4b:39:27:a2:5b:a6:60:b7:8d:76:
b5:51:aa:5b:30:b4:87:fa:84:58:b2:29:43:53:b4:
f1:20:06:6c:bc:3e:c9:ee:37:e0:be:f2:c8:07:a6:
ac:1e:93:52:8e:78:d3:9a:03:d0:98:fa:b6:6d:8c:
09:df:06:22:dc:17:30:79:2d
Exponent: 65537 (0x10001)
Signature Algorithm md5WithRSAEncryption Name (first and Last name) n/a Email n/a Department n/a Telephone n/a
Note: The full subject was: [EMAIL PROTECTED] GmbH+unstructuredName=pix.*mydomain*.de+C=DE+CN=pix.*mydomain*.de+OU=TestCenter
============== CSR after editing:
Request Version 0 (0x0) Serial Number 7713 Common Name n/a E-Mail [EMAIL PROTECTED] Subject Alternative Name DNS:pix.*mydomain*.de, email:[EMAIL PROTECTED] Role VPN Server LOA Test Distinguished Name serialNumber=cert's serial Submitted on Tue May 4 09:22:15 2004 GMT Approved on n/a Used Identification PIN n/a Modulus (key size) 1024 Public Key Algorithm rsaEncryption Public Key Modulus (1024 bit):
00:dc:96:3b:c0:2b:d7:8b:fc:a3:ef:b6:23:d8:74:
2c:47:49:fa:b1:bb:22:30:23:44:aa:fe:48:37:83:
7b:8e:3e:d4:8a:c4:5c:9f:a7:cf:0f:34:1b:8e:f4:
b9:e0:62:f2:5e:8f:3a:f6:bf:5e:49:da:11:b1:5d:
6c:11:93:89:90:4b:39:27:a2:5b:a6:60:b7:8d:76:
b5:51:aa:5b:30:b4:87:fa:84:58:b2:29:43:53:b4:
f1:20:06:6c:bc:3e:c9:ee:37:e0:be:f2:c8:07:a6:
ac:1e:93:52:8e:78:d3:9a:03:d0:98:fa:b6:6d:8c:
09:df:06:22:dc:17:30:79:2d
Exponent: 65537 (0x10001)
Signature Algorithm md5WithRSAEncryption Name (first and Last name) n/a Email [EMAIL PROTECTED] Department n/a Telephone n/a
Variable Value Request Version 0 (0x0) Serial Number 7713 Common Name n/a E-Mail [EMAIL PROTECTED] Subject Alternative Name DNS:pix.*mydomain*.de, email:[EMAIL PROTECTED] Role VPN Server LOA Test Distinguished Name serialNumber=cert's serial Submitted on Tue May 4 09:22:15 2004 GMT Approved on n/a Used Identification PIN n/a Modulus (key size) 1024 Public Key Algorithm rsaEncryption Public Key Modulus (1024 bit):
00:dc:96:3b:c0:2b:d7:8b:fc:a3:ef:b6:23:d8:74:
2c:47:49:fa:b1:bb:22:30:23:44:aa:fe:48:37:83:
7b:8e:3e:d4:8a:c4:5c:9f:a7:cf:0f:34:1b:8e:f4:
b9:e0:62:f2:5e:8f:3a:f6:bf:5e:49:da:11:b1:5d:
6c:11:93:89:90:4b:39:27:a2:5b:a6:60:b7:8d:76:
b5:51:aa:5b:30:b4:87:fa:84:58:b2:29:43:53:b4:
f1:20:06:6c:bc:3e:c9:ee:37:e0:be:f2:c8:07:a6:
ac:1e:93:52:8e:78:d3:9a:03:d0:98:fa:b6:6d:8c:
09:df:06:22:dc:17:30:79:2d
Exponent: 65537 (0x10001)
Signature Algorithm md5WithRSAEncryption Name (first and Last name) n/a Email [EMAIL PROTECTED] Department n/a Telephone n/a
============== Isuued Certificate:
Description Certificate issued and Certificate Request archived. Logging Message Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12 (0xc)
Signature Algorithm: sha1WithRSAEncryption
Issuer: [EMAIL PROTECTED],CN=ComNet Certification Authority,OU=Trustcenter,O=ComNet GmbH,C=DE
Validity
Not Before: May 4 09:27:43 2004 GMT
Not After : May 4 09:27:43 2005 GMT
Subject: serialNumber=12
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:dc:96:3b:c0:2b:d7:8b:fc:a3:ef:b6:23:d8:74:
2c:47:49:fa:b1:bb:22:30:23:44:aa:fe:48:37:83:
7b:8e:3e:d4:8a:c4:5c:9f:a7:cf:0f:34:1b:8e:f4:
b9:e0:62:f2:5e:8f:3a:f6:bf:5e:49:da:11:b1:5d:
6c:11:93:89:90:4b:39:27:a2:5b:a6:60:b7:8d:76:
b5:51:aa:5b:30:b4:87:fa:84:58:b2:29:43:53:b4:
f1:20:06:6c:bc:3e:c9:ee:37:e0:be:f2:c8:07:a6:
ac:1e:93:52:8e:78:d3:9a:03:d0:98:fa:b6:6d:8c:
09:df:06:22:dc:17:30:79:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: CA:FALSE
X509v3 Certificate Policies: Policy: 1.2.3.3.4
CPS: http://some.url.org/cps
Netscape Cert Type: SSL Server
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment: VPN Server of ComNet GmbH
X509v3 Subject Key Identifier: 22:CD:8B:BF:AB:AA:7D:25:50:1F:C0:0A:A8:5C:B0:A3:43:A8:EB:A4
X509v3 Authority Key Identifier: keyid:D3:3E:5D:B1:F2:8B:C2:2B:CA:3E:42:7E:22:DE:8B:4A:57:C7:8E:B6
DirName:/C=DE/O=ComNet GmbH/OU=Trustcenter/CN=ComNet Certification Authority/[EMAIL PROTECTED]
serial:00
X509v3 Subject Alternative Name: DNS:pix.*mydomain*.de, email:[EMAIL PROTECTED]
X509v3 Issuer Alternative Name: email:[EMAIL PROTECTED]
Netscape CA Revocation Url: http://ra.*mydomain*.de/pub/crl/cacrl.crl
Netscape Revocation Url: http://ra.*mydomain*.de/pub/crl/cacrl.crl
X509v3 CRL Distribution Points: URI:http://ra.*mydomain*.de/pub/crl/cacrl.crl
Signature Algorithm: sha1WithRSAEncryption 4f:23:cf:f2:19:7c:7a:b4:0a:20:55:d8:53:12:80:99:19:b9: 38:04:70:7c:a7:5e:9f:e3:d1:f1:8f:dd:e0:47:6a:ad:1c:3b: ce:54:95:14:53:85:b8:31:8e:b5:74:36:74:b9:5e:43:fd:d3: 0e:a1:d8:7f:70:44:df:fc:a3:81:87:f1:55:d3:35:e6:0a:27: 00:73:61:86:22:4f:28:1e:c9:4c:92:b6:5b:db:df:45:3e:d1: a1:cd:e1:5f:55:f2:18:c7:bf:05:17:b2:81:c4:f8:74:4e:dc: 95:59:0b:0b:70:63:cc:bb:7a:da:c0:68:26:ee:3c:b3:bb:1b: d1:99:3a:e1:52:37:41:42:0f:bc:da:12:b6:c2:74:fd:52:e7: 57:d9:98:02:2e:79:e5:31:11:fc:59:60:22:49:b2:3b:89:9a: 79:2f:e8:ee:fa:ac:83:98:ae:fc:85:1f:8b:5d:29:2f:d9:bb: c3:48:12:80:e0:5a:ec:59:ec:30:d0:79:45:82:f3:36:a3:62:nt: 6 0b:da:d5:6d:b5:d8:e7:24:a8:dc:cc:89:97:9e:12:38:13:95: 28:30:8e:67:5d:58:41:54:1c:26:0f:08:f4:25:af:43:f5:88: 9d:cf:aa:77:97:ff:e4:38:e2:ff:f9:97:79:62:4b:21:e3:71: 77:01:56:6e
---- Jörg Bartz ComNet GmbH, Würselen
"Was nicht fliegt, kann auch nicht abstürzen!"
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id?66&opÌk
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
-- accom GmbH & Co. KG Gruener Weg 100 52070 Aachen
Tel: +49 241 918 5228 Fax: +49 241 918 5299
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id?66&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
