Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ASA: CRYPTO_PKI: Unable to read CA/RA certificates

Hello,

I have setup a Win2003 Server where I install a CA/RA server for SCEP enrollment of my ASA5510. I entered the following config on the ASA:

domain-name mydomain.com

crypto key generate rsa

crypto ca trustpoint MYTRUSTPOINT

crl optional

enrollment url http://x.x.x.x/certsrv/mscep/mscep.dll

subject-name cn=ASA5510

Meanwhile I configured the CA Server for SCEP support by intalling the mscep executable from the Resource Kit.

If I try to get the CA's Certificate using crypto ca authenticate MYTRUSTPOINT, i only get this error messages on my ASA console:

Crypto CA thread wakes up!

CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ITSS HTTP

/1.0

Host: x.x.x.x

CRYPTO_PKI: http connection opened

CRYPTO_PKI: Unable to read CA/RA certificates.Crypto CA thread sleeps!

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

I have tried to reinstall the CA and SCEP over and over again but I still get the same error all the time. Is there anything wrong with my config?

Please help me with my problem. I promise to give 5-points to anybody who can help me solve my problem. Thank you in advance.

Lorenz

4 REPLIES
Bronze

Re: ASA: CRYPTO_PKI: Unable to read CA/RA certificates

You could be hitting with this bug : check the details of this bug :CSCeb54402

New Member

Re: ASA: CRYPTO_PKI: Unable to read CA/RA certificates

Hi,

I cannot find this particular Bug ID in the CCO. Can you send me some info from your own list if there is any?

thanks so much for your response,

Lorenz

New Member

Re: ASA: CRYPTO_PKI: Unable to read CA/RA certificates

Hi,

Yes now I see the Bug details. But the one I am actually using is a ASA5510, I have also already upgraded it to 7.2.2 (from previous 7.0.7). I have tried this same setup before using Windows2000 Server and ASA5520, and it works. But this time I am having quite a trouble making this thing work.

Lorenz

Cisco Employee

Re: ASA: CRYPTO_PKI: Unable to read CA/RA certificates

Have you checked the pending requests on the CA server or other logs to see if the CA is even getting the request?

--Jason

586
Views
0
Helpful
4
Replies
CreatePlease to create content