Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1148
Views
0
Helpful
4
Replies

ASA: CRYPTO_PKI: Unable to read CA/RA certificates

l.tating
Level 1
Level 1

‎11-21-2007 09:52 PM - edited ‎02-21-2020 01:48 AM

Hello,

I have setup a Win2003 Server where I install a CA/RA server for SCEP enrollment of my ASA5510. I entered the following config on the ASA:

domain-name mydomain.com

crypto key generate rsa

crypto ca trustpoint MYTRUSTPOINT

crl optional

enrollment url http://x.x.x.x/certsrv/mscep/mscep.dll

subject-name cn=ASA5510

Meanwhile I configured the CA Server for SCEP support by intalling the mscep executable from the Resource Kit.

If I try to get the CA's Certificate using crypto ca authenticate MYTRUSTPOINT, i only get this error messages on my ASA console:

Crypto CA thread wakes up!

CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ITSS HTTP

/1.0

Host: x.x.x.x

CRYPTO_PKI: http connection opened

CRYPTO_PKI: Unable to read CA/RA certificates.Crypto CA thread sleeps!

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

I have tried to reinstall the CA and SCEP over and over again but I still get the same error all the time. Is there anything wrong with my config?

Please help me with my problem. I promise to give 5-points to anybody who can help me solve my problem. Thank you in advance.

Lorenz

0 Helpful
4 Replies 4

bwilmoth
Level 5
Level 5

‎11-27-2007 02:49 PM

You could be hitting with this bug : check the details of this bug :CSCeb54402

0 Helpful

l.tating
Level 1
Level 1
In response to bwilmoth

‎11-27-2007 04:45 PM

Hi,

I cannot find this particular Bug ID in the CCO. Can you send me some info from your own list if there is any?

thanks so much for your response,

Lorenz

0 Helpful

l.tating
Level 1
Level 1
In response to bwilmoth

‎11-27-2007 04:50 PM

Hi,

Yes now I see the Bug details. But the one I am actually using is a ASA5510, I have also already upgraded it to 7.2.2 (from previous 7.0.7). I have tried this same setup before using Windows2000 Server and ASA5520, and it works. But this time I am having quite a trouble making this thing work.

Lorenz

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee

‎12-03-2007 02:15 PM

Have you checked the pending requests on the CA server or other logs to see if the CA is even getting the request?

--Jason

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card