You are right, I am using PIX Firewall version 6.3.x. If there's no way I can import a certificate to the pix firewall, do you know how can I sign the pix certificate using OpenSSL CA with the Set Up I have. It seems that the pix firewall can't communicate with the CA server.
When I tried to authenticate the certificate using pix command: # ca authenticate (ca_nickname) [finger_print] then enroll the certificate to CA server with pix command: # ca enroll (ca_nickname) (challenge_passwd) serial ipaddress The enroll command results in error message: %No CA root cert exists. Use ca authenticate. Another problem I approach is the [finger_print] on ca authenticate is optional, but when I supply with the OpenSSL CA finger print whose format is not xxxx xxxx xxxx xxxx, the pix firewall won't take it. The finger print that I get from OpenSSL CA has format xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx. Any suggestion on this problem? All advice are greatly appreciated. Thank you. ----- Original Message ----- From: [EMAIL PROTECTED] Date: Tuesday, December 16, 2003 10:02 am Subject: RE: Sign PIX certificate using OpenSSL CA > > -----Original Message----- > > From: [EMAIL PROTECTED] [EMAIL PROTECTED] > > Sent: 16 December 2003 14:34 > > To: [EMAIL PROTECTED] > > Subject: Sign PIX certificate using OpenSSL CA > > > > > > I would like to sign a certificate created by pix firewall > > using OpenSSL CA server. > > My current set up is: the OpenSSL CA server is > > > > Network 1------ Router ---------------------- PIX Firewall > > -------- Network 2 > > (CA server) VPN tunnel > > > > I have established VPN tunnel between router and pix firewall > > using preshared secret, but I would like to use the > > certificate signed by OpenSSL CA. > > > > How can I sign the pix certificate? Also, how can I download > > the CA certificate to PIX firewall? > > Thank you. Your advice is appreciated. > > > > Sanborne > > > I'm assuming you mean a Pix Firewall version 6.3.x. I don't think > there is a > way to get a certificate onto a Pix, as the "ca" commands can only > createcertificates. Have a look at the version 6.3 command > reference at > http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer > ence_book09186a008017284e.html > > If you do find a way, I'd love to know! > > - > John Airey, BSc (Jt Hons), CNA, RHCE > Internet systems support officer, ITCSD, Royal National Institute > of the > Blind, > Bakewell Road, Peterborough PE2 6XU, > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 > [EMAIL PROTECTED] > > There is more historical evidence for the existence of Jesus > Christ than for > either Henry VIII or Julius Caesar. > > - > DISCLAIMER: > > NOTICE: The information contained in this email and any > attachments is > confidential and may be privileged. If you are not the intended > recipient you should not use, disclose, distribute or copy any of > the > content of it or of any attachment; you are requested to notify > the > sender immediately of your receipt of the email and then to delete > it > and any attachments from your system. > > RNIB endeavours to ensure that emails and any attachments > generated by > its staff are free from viruses or other contaminants. However, it > cannot accept any responsibility for any such which are transmitted. > We therefore recommend you scan all attachments. > > Please note that the statements and views expressed in this email > and > any attachments are those of the author and do not necessarily > represent > those of RNIB. > > RNIB Registered Charity Number: 226227 > > Website: http://www.rnib.org.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]