PKI Certificate

Unanswered Question
Nov 6th, 2008
User Badges:

Hi

I have defined a PKI trustpoint on 871 but whilst authentication CA i get the following error:


Nov 6 10:57:05.370: CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=Synergy-CA HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)



Nov 6 10:57:05.370: CRYPTO_PKI: locked trustpoint Synergy-CA, refcount is 1

Nov 6 10:57:05.386: CRYPTO_PKI: http connection opened

Nov 6 10:57:05.386: CRYPTO_PKI: unlocked trustpoint Synergy-CA, refcount is 0

Nov 6 10:57:05.386: CRYPTO_PKI: locked trustpoint Synergy-CA, refcount is 1

Nov 6 10:57:05.598: CRYPTO_PKI: unlocked trustpoint Synergy-CA, refcount is 0

Nov 6 10:57:05.598: CRYPTO_PKI: HTTP response header:

HTTP/1.1 200 OK

Content-Length: 4274

Content-Type: application/x-x509-ca-ra-cert

Server: Microsoft-IIS/7.0

Date: Thu, 06 Nov 2008 10:56:47 GMT

Connection: close


Content-Type indicates we have received CA and RA certificates.


Nov 6 10:57:05.598: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=Synergy-CA)


Nov 6 10:57:05.602: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):

Nov 6 10:57:05.602: crypto_certc_pkcs7_extract_certs_and_crls failed

Nov 6 10:57:05.602: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795


Nov 6 10:57:05.602: CRYPTO_PKI: Unable to read CA/RA certificates.

Nov 6 10:57:05.602: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.

Nov 6 10:57:05.602: CRYPTO_PKI: transaction GetCACert completed

--------------------------------------


My router config for trustpoint is as following:


crypto pki trustpoint Synergy-CA

enrollment mode ra

enrollment url http://ca_2008.sfs.com:80/certsrv/mscep/mscep.dll

subject-name cn=Authenticator-871 o=SFS

revocation-check none

ocsp url http://ca_2008.sfs.com/ocsp

rsakeypair Synergy


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Wed, 11/12/2008 - 07:45
User Badges:

The explanation for "PKI-3-GETCARACERT: Failed to receive RA/CA certificates" is that PKI certificate has encountered failure when parsing and processing CA/RA certificates.Recommended Action is to check the status, contact the CA administrator.Also you can check whether the certification is valid or not.

This url explains about certificate authentication in detail:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml#step3


synbureau Wed, 11/12/2008 - 08:05
User Badges:

Thank you for the reply, I got through that stage and now stuck with decoding of reply sent by OCSP (MS server 2008). the no-revocation check OID has a zero length value where as NULL is expected by cisco. MS has identified it as a bug but will be releasing its fix in SP2, just wanted to know if cisco has found a way around.

Actions

This Discussion