Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1345
Views
0
Helpful
2
Replies

PKI Certificate

synbureau
Level 1
Level 1

‎11-06-2008 03:00 AM - edited ‎03-09-2019 09:46 PM

Hi

I have defined a PKI trustpoint on 871 but whilst authentication CA i get the following error:

Nov 6 10:57:05.370: CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=Synergy-CA HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Nov 6 10:57:05.370: CRYPTO_PKI: locked trustpoint Synergy-CA, refcount is 1

Nov 6 10:57:05.386: CRYPTO_PKI: http connection opened

Nov 6 10:57:05.386: CRYPTO_PKI: unlocked trustpoint Synergy-CA, refcount is 0

Nov 6 10:57:05.386: CRYPTO_PKI: locked trustpoint Synergy-CA, refcount is 1

Nov 6 10:57:05.598: CRYPTO_PKI: unlocked trustpoint Synergy-CA, refcount is 0

Nov 6 10:57:05.598: CRYPTO_PKI: HTTP response header:

HTTP/1.1 200 OK

Content-Length: 4274

Content-Type: application/x-x509-ca-ra-cert

Server: Microsoft-IIS/7.0

Date: Thu, 06 Nov 2008 10:56:47 GMT

Connection: close

Content-Type indicates we have received CA and RA certificates.

Nov 6 10:57:05.598: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=Synergy-CA)

Nov 6 10:57:05.602: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):

Nov 6 10:57:05.602: crypto_certc_pkcs7_extract_certs_and_crls failed

Nov 6 10:57:05.602: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

Nov 6 10:57:05.602: CRYPTO_PKI: Unable to read CA/RA certificates.

Nov 6 10:57:05.602: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.

Nov 6 10:57:05.602: CRYPTO_PKI: transaction GetCACert completed

--------------------------------------

My router config for trustpoint is as following:

crypto pki trustpoint Synergy-CA

enrollment mode ra

enrollment url http://ca_2008.sfs.com:80/certsrv/mscep/mscep.dll

subject-name cn=Authenticator-871 o=SFS

revocation-check none

ocsp url http://ca_2008.sfs.com/ocsp

rsakeypair Synergy

Labels:
0 Helpful
2 Replies 2

Not applicable

‎11-12-2008 07:45 AM

The explanation for "PKI-3-GETCARACERT: Failed to receive RA/CA certificates" is that PKI certificate has encountered failure when parsing and processing CA/RA certificates.Recommended Action is to check the status, contact the CA administrator.Also you can check whether the certification is valid or not.

This url explains about certificate authentication in detail:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml#step3

0 Helpful

synbureau
Level 1
Level 1
In response to

‎11-12-2008 08:05 AM

Thank you for the reply, I got through that stage and now stuck with decoding of reply sent by OCSP (MS server 2008). the no-revocation check OID has a zero length value where as NULL is expected by cisco. MS has identified it as a bug but will be releasing its fix in SP2, just wanted to know if cisco has found a way around.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents