You are right, I am using PIX Firewall version 6.3.x.
If there's no way I can import a certificate to the pix firewall, do you know how can
I sign the pix certificate using OpenSSL CA with the Set Up I have.
It seems that the pix firewall can't communicate with the CA server.
When I tried to authenticate the certificate using pix command:
# ca authenticate (ca_nickname) [finger_print]
then enroll the certificate to CA server with pix command:
# ca enroll (ca_nickname) (challenge_passwd) serial ipaddress
The enroll command results in error message:
%No CA root cert exists. Use ca authenticate.
Another problem I approach is the [finger_print] on ca authenticate is optional, but
when I supply with the OpenSSL CA finger print whose format is not xxxx xxxx xxxx
xxxx, the pix firewall won't take it. The finger print that I get from OpenSSL CA has
format xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Any suggestion on this problem?
All advice are greatly appreciated. Thank you.
----- Original Message -----
From: [EMAIL PROTECTED]
Date: Tuesday, December 16, 2003 10:02 am
Subject: RE: Sign PIX certificate using OpenSSL CA
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [EMAIL PROTECTED]
> > Sent: 16 December 2003 14:34
> > To: [EMAIL PROTECTED]
> > Subject: Sign PIX certificate using OpenSSL CA
> >
> >
> > I would like to sign a certificate created by pix firewall
> > using OpenSSL CA server.
> > My current set up is: the OpenSSL CA server is
> >
> > Network 1------ Router ---------------------- PIX Firewall
> > -------- Network 2
> > (CA server) VPN tunnel
> >
> > I have established VPN tunnel between router and pix firewall
> > using preshared secret, but I would like to use the
> > certificate signed by OpenSSL CA.
> >
> > How can I sign the pix certificate? Also, how can I download
> > the CA certificate to PIX firewall?
> > Thank you. Your advice is appreciated.
> >
> > Sanborne
> >
> I'm assuming you mean a Pix Firewall version 6.3.x. I don't think
> there is a
> way to get a certificate onto a Pix, as the "ca" commands can only
> createcertificates. Have a look at the version 6.3 command
> reference at
> http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer
> ence_book09186a008017284e.html
>
> If you do find a way, I'd love to know!
>
> -
> John Airey, BSc (Jt Hons), CNA, RHCE
> Internet systems support officer, ITCSD, Royal National Institute
> of the
> Blind,
> Bakewell Road, Peterborough PE2 6XU,
> Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848
> [EMAIL PROTECTED]
>
> There is more historical evidence for the existence of Jesus
> Christ than for
> either Henry VIII or Julius Caesar.
>
> -
> DISCLAIMER:
>
> NOTICE: The information contained in this email and any
> attachments is
> confidential and may be privileged. If you are not the intended
> recipient you should not use, disclose, distribute or copy any of
> the
> content of it or of any attachment; you are requested to notify
> the
> sender immediately of your receipt of the email and then to delete
> it
> and any attachments from your system.
>
> RNIB endeavours to ensure that emails and any attachments
> generated by
> its staff are free from viruses or other contaminants. However, it
> cannot accept any responsibility for any such which are transmitted.
> We therefore recommend you scan all attachments.
>
> Please note that the statements and views expressed in this email
> and
> any attachments are those of the author and do not necessarily
> represent
> those of RNIB.
>
> RNIB Registered Charity Number: 226227
>
> Website: http://www.rnib.org.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
