Cannot get IOS Root CA to run

Unanswered Question
Apr 27th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

I am trying to run the IOS CA to serve as root to two subordinate CA’s on my DMVPN hubs.  I am using a 2650XM on IOS image c2600-advsecurityk9-mz.124-15.T12.bin, and am following the procedures in both http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/PKI-security.html and the Cisco IOS Security Configuration Guide http://www.cisco.com/en/US/customer/docs/ios/sec_secure_connectivity/configuration/guide/12_4t/sec_secure_connectivity_12_4t_book.html section(s) on PKI.  I can get the CA running but ONLY if I do not configure ‘database url <url>’ (and presumably ‘cdp-url’)

I have tried using ftp:, and http: for ‘database url’ but I always get the server status of

Certificate Server root-ca:

    Status: disabled, Storage not accessible

and messages similar to “%PKI-3-CS_CRIT_STORAGE: Critical certificate storage, ftp://<username>:<password>@<ftp-server>/0x1.crt, is inaccessible, server disabled.” When I’m using ftp.  No message is issued when using http but the server status is the same.  And, the cert server appears to write the files 0x1.cnm and 0x1.crt, and the root-ca.ser file to the ftp server but still says storage is inaccessible.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Here is the no ‘database url’ configs that works:

crypto pki server root-ca

database level complete

database archive pkcs12 password 7 15361202377928311A

grant auto rollover ca-cert

grant auto

lifetime certificate 730

lifetime ca-certificate 750

auto-rollover 90

!

crypto pki trustpoint root-ca

revocation-check crl none

rsakeypair root-ca

!        

!        

crypto pki certificate chain root-ca

certificate ca 01

  30820302 308201EA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  12311030 0E060355 04031307 726F6F74 2D636130 1E170D31 30303432 37323130

<lines deleted>

  94D7B595 3C35C1A1 9D0BAA22 E92C40BD D7DE6C1F 92BD1285 534817FC 62B4CBCF

  8EB659B5 5C3C

        quit

!        

(I don’t think the rest of the config is needed, but ntp is configured and active as is the http server).

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

rsdpki1#sh crypto pki server

Certificate Server root-ca:

    Status: enabled

    State: enabled

    Server's configuration is locked  (enter "shut" to unlock it)

    Issuer name: CN=root-ca

    CA cert fingerprint: ACFF6E7F 7A87AB31 21BF7222 314D3BA9

    Granting mode is: auto

    Last certificate issued serial number: 0x1

    CA certificate expiration timer: 14:08:26 PDT May 16 2012

    CRL NextUpdate timer: 20:08:56 PDT Apr 27 2010

    Current primary storage dir: nvram:

    Database Level: Complete - all issued certs written as <serialnum>.cer

    Auto-Rollover configured, overlap period 90 days

    Autorollover timer: 13:08:26 PST Feb 16 2012

rsdpki1#sh crypto pki certificates

CA Certificate

  Status: Available

  Certificate Serial Number: 0x1

  Certificate Usage: Signature

  Issuer:

    cn=root-ca

  Subject:

    cn=root-ca

  Validity Date:

    start date: 14:08:26 PDT Apr 27 2010

    end   date: 14:08:26 PDT May 16 2012

  Associated Trustpoints: root-ca

rsdpki1#sh crypto key mypubkey rsa

% Key pair was generated at: 14:01:09 PDT Apr 27 2010

Key name: root-ca

Storage Device: not specified

Usage: General Purpose Key

Key is exportable.

Key Data:

  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

<lines removed>

  3F020301 0001

% Key pair was generated at: 14:01:16 PDT Apr 27 2010

Key name: root-ca.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 009E1CF0 EE0A4456

<lines removed>

  D92FACAB 7780169C 90B77FAF 92026085 F663353D 29CD8018 87020301 0001

rsdpki1#sh crypto key pubkey-chain rsa

Codes: M - Manually configured, C - Extracted from certificate

Code Usage         IP-Address/VRF         Keyring          Name

C    Signing                              default          X.500 DN name:

                              cn=root-ca

rsdpki1#sh crypto pki certificates storage

Certificates will be stored in nvram:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} rsdpki1#

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

However, when I clear that all out and reconfigure it with an ftp: database, I get:

crypto pki server root-ca

database level complete

database archive pkcs12 password 7 052F1F01121F4D1C2B

grant auto rollover ca-cert

grant auto

lifetime certificate 730

lifetime ca-certificate 750

cdp-url ftp://ssdftp1/rsdpki1_generated.crl

auto-rollover 90

database url ftp://ssdftp1

database username ftp4ios password <removed>

!        

crypto pki trustpoint root-ca

revocation-check crl none

rsakeypair root-ca

And show xxx shows:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

rsdpki1#sh crypto pki server

Certificate Server root-ca:

    Status: disabled, Failed to generate selfsigned CA certificate

    State: check failed

    Server's configuration is locked  (enter "shut" to unlock it)

    Issuer name: CN=root-ca

    CA cert fingerprint: -Not found-

    Granting mode is: auto

    Last certificate issued serial number: 0x0

    CA certificate expiration timer: 14:24:47 PDT May 16 2012

    CRL not present.

    Current primary storage dir: ftp://ssdftp1

    Database Level: Complete - all issued certs written as <serialnum>.cer

    Auto-Rollover configured, overlap period 90 days

rsdpki1#sh crypto pki certificates

rsdpki1#sh crypto key mypubkey rsa

% Key pair was generated at: 14:23:18 PDT Apr 27 2010

Key name: root-ca

Storage Device: not specified

Usage: General Purpose Key

Key is exportable.

Key Data:

  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

<lines removed>

  63020301 0001

% Key pair was generated at: 14:23:25 PDT Apr 27 2010

Key name: root-ca.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E514E6 0770D50A

<lines removed>

rsdpki1#sh crypto key pubkey-chain rsa

Codes: M - Manually configured, C - Extracted from certificate

Code Usage         IP-Address/VRF         Keyring          Name

rsdpki1#sh crypto pki certificates storage

Certificates will be stored in nvram:

rsdpki1#  (I skipped the ‘sh crypto pki counters’)

But the files are written to the ftp server and appear fine.  Can anyone tell me the rules for ‘database url’ and/or ‘cdp-url’?  The “PKI Service for Large Scale IPSec Aggregation” document (first url) shows both ftp: and http: examples.  As I say, I *think* I have the ftp specified correctly because the files are written.  But I have no idea what the requirements are for the http server – do I need Web-DAV or something? 

Thanks in advance.

PAUL TRIVINO
Sr. Network Engineer


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
PAUL TRIVINO Thu, 05/06/2010 - 11:45

I did but that's the problem - the documentation says you can use 'any IOS-supported file system' and the DMVPN docs show several examples using 'ftp://...' and 'http://...'  But I could not get anything except Flash: to work.  I had to move the root-ca to a different router with a CF card.

plemieux72 Sat, 09/18/2010 - 09:05

Ran into same issue on a 2621XM CA server running advanced security IOS 12.4(15)T8.

I rebooted the router, and the CA service runs fine until I looked into the info request database, and approved the cert for a spoke, I got the following:

cry pki ser [removed] grant all
% Failed to process enrollment request. The request #1 is deleted.

...and in the log:

Sep 18 12:23:07.203: %PKI-3-CS_CRIT_STORAGE: Critical certificate storage, nvram:0xD.cnm, is inaccessible, server disabled.
Sep 18 12:23:07.211: %PKI-6-CS_DISABLED: Certificate server now disabled.

Have you found any resolution or root cause?

Thanks!

ken.grabarski Wed, 02/18/2015 - 08:48

Performed the following on a 2811 to resolve.

CA Server:
Create username/domain
Enable HTTP
Generate rsa key

crypto pki server ks
 database level complete
 grant auto
 lifetime certificate 180
 lifetime ca-certificate 7305
 database url flash:
 no shut

 

 

Actions

This Discussion

Related Content