ASA: CRYPTO_PKI: Unable to read CA/RA certificates

Unanswered Question
Nov 21st, 2007


I have setup a Win2003 Server where I install a CA/RA server for SCEP enrollment of my ASA5510. I entered the following config on the ASA:


crypto key generate rsa

crypto ca trustpoint MYTRUSTPOINT

crl optional

enrollment url http://x.x.x.x/certsrv/mscep/mscep.dll

subject-name cn=ASA5510

Meanwhile I configured the CA Server for SCEP support by intalling the mscep executable from the Resource Kit.

If I try to get the CA's Certificate using crypto ca authenticate MYTRUSTPOINT, i only get this error messages on my ASA console:

Crypto CA thread wakes up!

CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ITSS HTTP


Host: x.x.x.x

CRYPTO_PKI: http connection opened

CRYPTO_PKI: Unable to read CA/RA certificates.Crypto CA thread sleeps!

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

I have tried to reinstall the CA and SCEP over and over again but I still get the same error all the time. Is there anything wrong with my config?

Please help me with my problem. I promise to give 5-points to anybody who can help me solve my problem. Thank you in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
l.tating Tue, 11/27/2007 - 16:45


I cannot find this particular Bug ID in the CCO. Can you send me some info from your own list if there is any?

thanks so much for your response,


l.tating Tue, 11/27/2007 - 16:50


Yes now I see the Bug details. But the one I am actually using is a ASA5510, I have also already upgraded it to 7.2.2 (from previous 7.0.7). I have tried this same setup before using Windows2000 Server and ASA5520, and it works. But this time I am having quite a trouble making this thing work.


Jason Gervia Mon, 12/03/2007 - 14:15

Have you checked the pending requests on the CA server or other logs to see if the CA is even getting the request?



This Discussion