cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2304
Views
11
Helpful
19
Replies

Microsoft Certificate Authority Server and Cisco Pix 6.3

kjanakiraman
Level 1
Level 1

Hi,

I installed a windows 2000 server Domain controller and installed Microsoft CA(Stand alone mode). In the Pix firewall i added commands like ca idenity nick name 192.168.20.5://certsrv/mscep/mscep.dll

ca configure nickname ra 1 20 crloptional

ca authenticate nickname and after which When i give

ca enroll nickname and "challenge password" I am getting an error message

"No CA root server exists. use CA Authenticate" Can some one explain me what mistake i am doing and what i need to do to successfully configure Microsoft Certificate authority for my client systems that connects through the Cisco Client vpn software.

Thanks in Advance

19 Replies 19

jsivulka
Level 5
Level 5

There are a couple of things that you coud try.

- Use the 'ca zeroize rsa' command to delete all RSA keys that were previously generated by your PIX Firewall.

- Cross check to ensure that domain name is same on both the PIX and CA server.

- Make sure you have used the correct parameter (hostname) for identity.

- Although you have stated that the CA server is in the 'Stand alone mode', make sure that is indeed the case. The setup wont work with subordinate servers.

Thanks a lot for your reply. Now i do not see any error message in the Cisco Pix. I got the finger print from the CA and put the same in CA authenticate nickname and the finger print. I went to a client system and connected to the certificate server and selected "Submit Request using CA form" and in the next screen i selected "client Authentication Purpose" and CSP "Microsoft Base Cryptographic provider v1.0" and got the certificate installed successfully. Then i started the Cisco vpn client and choose the ceritificate to connect but could not connect to the cisco pix firewall. IS there any thing else i need to do?

Thanks

Hi,

I'm in the same trouble.

I started ca debug and can see:

debug crypto ca

pix(config)# ca authenticate myca

CI thread sleeps!

Crypto CA thread wakes up!

pix(config)# connection opened

CRYPTO_PKI: transaction GetCACert completed

CRYPTO_PKI: Error: Invalid format for BER encoding while

CRYPTO_PKI: can not set ca cert object.

CRYPTO_PKI: status = 65535: failed to process RA certificate

Crypto CA thread sleeps!

CI thread wakes up!

Does anybody know what the error message means?

Thanks,

Milan

Hi,

it seems that the basic problem is following:

Microsoft CA running on Win2000 server doesn't support SCEP protocol - the only way how to get the certificate into the PIX.

So there is necessary to install SCEP on CA.

I've found on Microsoft web that cepsetup.exe should be available in Win2000 Server resource kit, but haven't found it yet...

Does anybody know if SCEP is supported on Win2000 Server or Advanced server or 2003 server is necessary?

Thanks,

Milan

yes and yes

it is on the 'Security Resource Kit' but also try this link

http://www.klake.org/~jt/sscep/w2kca.html

and go to where it says "local package" or just click here: http://www.klake.org/~jt/sscep/mscep.zip

run an AV scan to make sure it's ok.

after you install it, you will need to register mscep.dll with IIS (this is by default on '03, but not on 2K) or your firewall will not be able to execute 'pkiclient.exe' using HTTP (on port 80)

here's a scratch sample a labbed up: http://www.getconnected-it.com/pix-ca-enrollment.doc

and also this may help (it's for '03, but the only other step you'll need to do is manually register mscep.dll with IIS from the command line):

http://www.getconnected-it.com/RegistrationAuthoritySCEPInstallation.pdf

hope this helps

Donald,

thanks a lot.

Unfortunatelly, our CA administrator is on his holiday.

When he comes back, we'll try to install SCEP on our CA and I hope everything will work OK.

Regards,

Milan

Hi,

I'm still in trouble.

1) I'm confused with PIX

ca configure myca ra 1 1 crloptional

command.

What's the difference between ca and ra option in this command?

I noticed that I have to use ra to be able to get the root certificate from my CA by

ca authenticate myca ...

command.

But to try to enroll the certificate for my PIX, I've to change the command to

ca configure myca ca 1 1 crloptional

first!!!

If I don't, I receive

% No CA root cert exists. Use "ca authenticate" error message.

I've got some certificates downloaded to my PIX:

sh ca cert shows:

CA Certificate

Status: Available

Certificate Serial Number: 75b027220003000000bc

Key Usage: Signature

...

CA Certificate

Status: Available

Certificate Serial Number: 75b0282c0003000000bd

Key Usage: Encryption

...

CA Certificate

Status: Available

Certificate Serial Number: 18308b8d573a8090439e362e0b616481

Key Usage: General Purpose

...

Which I hope are the CA root certificates?

2) I'm not able to get the RA certificate for my PIX.

I installed the scep support to our Microsoft CA running on Win2000 server.

But I have to use the domain administrator user account and password to get the

http://myca/certsrv/mscep/mcsep.dll screen with enrollment challenge password to my browser as described in http://www.getconnected-it.com/pix-ca-enrollment.doc.

I'm afraid the PIX is not providing any user/password while sending erolling request?

Even when I use the challenge password seen via web interface with admin account used, I get certificate request refused error. With debug on, I can see:

CRYPTO_PKI: transaction PKCSReq completed

CRYPTO_PKI: status:

Crypto CA thread sleeps! Fingerprint: 90064033 50e37098 f67ae9a9 f2c4cffa

CRYPTO_PKI: http connection opened

The certificate enrollment request was denied by CA!

CRYPTO_PKI: received msg of 800 bytes

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting

CRL

CRYPTO_PKI: signed attr: pki-message-type:

13 01 33

CRYPTO_PKI: signed attr: pki-status:

13 01 32

CRYPTO_PKI: signed attr: pki-recipient-nonce:

04 10 ea df a4 24 aa f2 cb 2d c4 b3 fd bd 31 74 94 84

CRYPTO_PKI: signed attr: pki-transaction-id:

13 20 35 32 63 36 37 35 31 64 34 30 31 66 34 65 35 32 61 66

32 35 63 66 30 35 38 39 31 65 64 35 34 33

CRYPTO_PKI: status = 101: certificate request is rejected

But I can't see any refused request in CA logs.

I think the main problem might be the authorization to //myca/certsrv/mscep/mcsep.dll on the Microsoft CA. How shall I change it ?

Thanks,

Milan

I've found the basic problem probably:

Our Microsoft CA is Enterprise, not standalone!

MSCEP Help says:

"If you are requesting a certificate from an enterprise CA, you must have the right to enroll for certificates based on the IPSecIntermediateOffline certificate template in order to access the URL above. By default, a member of the Enterprise Administrators group or the root Domain Administrators group will have the right to enroll for certificates based on the IPSecIntermediateOffline certificate template.

See the procedure entitled Set security permissions and delegate control of certificate templates in Windows 2000 Server online help for the procedure to change enrollment permissions for certificate templates.

By default anyone can view the Web page at the URL above if it is on a stand-alone CA."

So does anybody know the detailed steps how to allow my pix to access //myca/certsrv/mscep/mcsep.dll ?

Thanks,

Milan

Hi!

You should manually grant enroll permission for Authenticated Users on W2K CA

Active Directory Sites and Services > Services > Certificate Templates > IPSECIntermadiateOffline > Security

http://support.microsoft.com/default.aspx?scid=kb;en-us;305196

Thanks Igor,

I've found this article already.

But my understanding is I can grant enroll permission only to an object included in Microsoft Active Directory.

What can I do with my PIX which is not a member of my Windows domain, so it will never be an authenticated user?

Regards,

Milan

PIX should not be a member of Windows domain. But CA with SCEP Add-on should be installed on W2K domain controller server with AD. In other case you couldn't change default setting rigths for Authenticated Users.

There is another way - setup CA on IOS router, but it's relatively new feature ... Try if you want :-)

Yours.

Igor, thanks.

Our CA is not installed on our domain controller but on another server.

Why it must be installed on DC to be able to change the default settings?

I'm getting sick of Microsoft x Cisco compatibility :-((

I'll ask our CA admin to make some test tomorrow...

Regards,

Milan

I see. I felt the same when I first need to get certificate from MS CA. But it's really working!!!

You may install stand-alone DC without any concern to current windows domain, only for X.509 certificates.

Yours.

It's not mandatory to install the Ca on a DC to change the settings.

Actually it's strongly encouraged to install the CA on a member server.

To change the permission on a template you should log on with "enterprise admin" user or a user with delegated permission to manage the templates.

Once logged with a user with correct permission you can change template's permission from the CA MMC console

HTH

Stefano

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: