Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring CA on a pix 515 E


I am having problems configuring CA on my pix 515E running 6.3(5) and a restricted licence.

I am using Win 2003 for CA server. I have not had any issues configuring CA on IOS or ASA 7.1. However no success with the 515. I am not sure what the problem is either :

a) issue with win2003 CA. The config guide for 6.3(5) mentions win 2k as the compatible CA server;

b) the restricted licence (i dont think so ???).cant find anything at CCO that suggests this may be the case.

c) my config ( see below)

Appreciate any suggestions


carlos chorao #11351.r/s

When I auth the CA I get the following

labpix(config)# ca auth ca_1

Certificate has the following attributes:

Fingerprint: a83c33c1 9d17ccdb b71b0c4d 8a35db36

however when i look for the public cer i get zip

labpix(config)# ca auth ca_1

Certificate has the following attributes:

Fingerprint: a83c33c1 9d17ccdb b71b0c4d 8a35db36

labpix(config)# exit

labpix# sh ca cert


detailed configs are below-----------------------------------------------

labpix# sh ca mypub rsa

% Key pair was generated at: 13:16:47 nz Jun 3 2006

Key name: xxxx

Usage: General Purpose Key

Key Data:

305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d84cf1 17d63ecb

2f8dfa46 b963aa5a 50d929f4 c5ce208d 2e34c024 ac3aad53 72a2e4bf a9a16072

f9d74c26 5b70325c b10c50aa e7766add 82485e84 dff9eb31 4f020301 0001


labpix# sh run

: Saved



ca identity ca_1

ca configure ca_1 ca 1 10

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

labpix up 2 hours 38 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0015.6398.8263, irq 10

1: ethernet1: address is 0015.6398.8264, irq 11

2: ethernet2: address is 000e.0c85.34b6, irq 11

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Physical Interfaces: 3

Maximum Interfaces: 5

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Restricted (R) license.

New Member

Re: Configuring CA on a pix 515 E

Found the problem.

deb crypto ca reveals the issue :

CRYPTO_PKI: Error: Invalid format for BER encoding while

CRYPTO_PKI: can not set ca cert object.

CRYPTO_PKI: status = 65535: failed to process RA certificate

Crypto CA thread sleeps!

CI thread wakes up!

The problem - I used "ca" instead of "ra" in the ca configure command.

it was

ca configure ca_1 ca 1 10

should be

ca configure ca_1 ra 1 10

carlos chorao #11351.r/s

CreatePlease login to create content