Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

sam
New Member

failing to get certificates using PIX firewall

Trying to do a "ca authenticate" on PIX 506 running 6.2.2 software, in order to get a certificate from a Microsoft CA server . Here are the relevant commands:

ca identity stage 172.16.0.7:/certsrv/mscep/mscep.dll

ca configure stage ra 1 20

ca authenticate stage

The debug output is:

CRYPTO_PKI: status = 266: failed to verify

CRYPTO_PKI: transaction GetCACert completed

I put a sniffer on this communication and it appears that the PIX is trying to go to 172.16.0.7:/certsrv/mscep/mscep.dll/pkiclient.exe.

In other words, the PIX is adding a "pkiclient.exe" to the end of the URL no matter what. The microsoft ca server does not have a pkiclient.exe file as far as I can tell. That seems to be the problem. However, I am puzzled because this combination ( PIX and Microsoft CA ) should work.

Any ideas what to do next?

3 REPLIES
Cisco Employee

Re: failing to get certificates using PIX firewall

Try making the CRL optional, and see if that makes a difference.

See this link for a bit of guide:

http://www.cisco.com/warp/public/471/configipsecsmart.html .

Regards,

New Member

Re: failing to get certificates using PIX firewall

Ensure that you have installed the mscep from the Microsoft Resource kit (cepsetup.exe).

pkiclient.exe is a part of the scep protocol and will be added automatically by the router/pix to the scep request.

i.e. http://host/certsrv/mscep/mscep.dll?pkiclient.exe&operation=GetCACert&message=whatever

will return the result from the scep with the RA & CA certificates.

sam
New Member

Re: failing to get certificates using PIX firewall

After talking to TAC, it looks like the solution should be:

1. Uninstall everything

2. Install Certification Server. Reboot

3. Install MSCEP. Reboot

It seems likely that the microsoft server is the problem ( although I HAD installed the mscep already and it wasn't working. )

In other words, the solution is to "reboot more often" during the microsoft installation.

I consider this issue closed now. Thanks for everyones help.

256
Views
0
Helpful
3
Replies
CreatePlease login to create content