RA Certificates

Unanswered Question
Mar 12th, 2007

Hi,

My question is Ra certificates - I have a Microsoft CA with SCEP installed. SCEP is the RA and requests a certificate from the CA on behalf of the client. But when i enroll an ASA via SCEP, when the certificate is pending two certificates appear as 'RA' when i do 'show crypto CA certificates'. When I issue the ID certificate on the CA, these 'RA' certificates disappear on the ASA - what exactly are these certificates and why are they there, and then disappear? This is also the same when enrolling VPN client.

Thanks for your help!

Andy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Tue, 03/13/2007 - 12:01

Andy,

Here is what I did. I had the ASA and SCEP configured for Microsoft CA.

I generated the CSR on the ASA - at that time, this was the output of sh cry ca cert

Subject Name:

Name: VPNASA

Status: Pending terminal enrollment

Key Usage: General Purpose

Fingerprint: ccccccb bbbbbb9 90f5ebb4 ab37e34a

After that, I got the CA certificate through SCEP and installed the identity certificate which I obtained from the microsoft CA server.

Can you please send me the "sh cry ca cert" and also a snippet of your config to check out the crypto trustpoint configured.

Thanks

Gilbert

andrew100 Tue, 03/13/2007 - 12:40

Hi Gilbert,

Thanks for your response! I have MSWord screen shots of exactly what i did but was live for a customer and contains sensitive info - I will recreate in my lab straight away!

However - here is my events,

Generate RSA general keys

Create trustpoint with SCEP URL and then reference the RSA key label just generated

Crypto CA authenticate

Accept the cert

Show crypto ca certs shows the CA cert

Crypto ca enroll - answer the questions, certificate is pending.

It is now that these 'RA' certs x2 appear under 'show crypto ca certs'.

Issue the certificate on the CA

Show crypto ca cert shows Root and ID cert and the 'RA' certs disappear?

Exactly the same happens on VPN client...

What are these RA certs etc

Thanks for your help Gilbert :-)

Andy

Actions

This Discussion