I installed a windows 2000 server Domain controller and installed Microsoft CA(Stand alone mode). In the Pix firewall i added commands like ca idenity nick name 192.168.20.5://certsrv/mscep/mscep.dll
ca configure nickname ra 1 20 crloptional
ca authenticate nickname and after which When i give
ca enroll nickname and "challenge password" I am getting an error message
"No CA root server exists. use CA Authenticate" Can some one explain me what mistake i am doing and what i need to do to successfully configure Microsoft Certificate authority for my client systems that connects through the Cisco Client vpn software.
Thanks in Advance
There are a couple of things that you coud try.
- Use the 'ca zeroize rsa' command to delete all RSA keys that were previously generated by your PIX Firewall.
- Cross check to ensure that domain name is same on both the PIX and CA server.
- Make sure you have used the correct parameter (hostname) for identity.
- Although you have stated that the CA server is in the 'Stand alone mode', make sure that is indeed the case. The setup wont work with subordinate servers.
Thanks a lot for your reply. Now i do not see any error message in the Cisco Pix. I got the finger print from the CA and put the same in CA authenticate nickname and the finger print. I went to a client system and connected to the certificate server and selected "Submit Request using CA form" and in the next screen i selected "client Authentication Purpose" and CSP "Microsoft Base Cryptographic provider v1.0" and got the certificate installed successfully. Then i started the Cisco vpn client and choose the ceritificate to connect but could not connect to the cisco pix firewall. IS there any thing else i need to do?
I'm in the same trouble.
I started ca debug and can see:
debug crypto ca
pix(config)# ca authenticate myca
CI thread sleeps!
Crypto CA thread wakes up!
pix(config)# connection opened
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: Error: Invalid format for BER encoding while
CRYPTO_PKI: can not set ca cert object.
CRYPTO_PKI: status = 65535: failed to process RA certificate
Crypto CA thread sleeps!
CI thread wakes up!
Does anybody know what the error message means?
it seems that the basic problem is following:
Microsoft CA running on Win2000 server doesn't support SCEP protocol - the only way how to get the certificate into the PIX.
So there is necessary to install SCEP on CA.
I've found on Microsoft web that cepsetup.exe should be available in Win2000 Server resource kit, but haven't found it yet...
Does anybody know if SCEP is supported on Win2000 Server or Advanced server or 2003 server is necessary?
yes and yes
it is on the 'Security Resource Kit' but also try this link
and go to where it says "local package" or just click here: http://www.klake.org/~jt/sscep/mscep.zip
run an AV scan to make sure it's ok.
after you install it, you will need to register mscep.dll with IIS (this is by default on '03, but not on 2K) or your firewall will not be able to execute 'pkiclient.exe' using HTTP (on port 80)
here's a scratch sample a labbed up: http://www.getconnected-it.com/pix-ca-enrollment.doc
and also this may help (it's for '03, but the only other step you'll need to do is manually register mscep.dll with IIS from the command line):
hope this helps
thanks a lot.
Unfortunatelly, our CA administrator is on his holiday.
When he comes back, we'll try to install SCEP on our CA and I hope everything will work OK.
I'm still in trouble.
1) I'm confused with PIX
ca configure myca ra 1 1 crloptional
What's the difference between ca and ra option in this command?
I noticed that I have to use ra to be able to get the root certificate from my CA by
ca authenticate myca ...
But to try to enroll the certificate for my PIX, I've to change the command to
ca configure myca ca 1 1 crloptional
If I don't, I receive
% No CA root cert exists. Use "ca authenticate" error message.
I've got some certificates downloaded to my PIX:
sh ca cert shows:
Certificate Serial Number: 75b027220003000000bc
Key Usage: Signature
Certificate Serial Number: 75b0282c0003000000bd
Key Usage: Encryption
Certificate Serial Number: 18308b8d573a8090439e362e0b616481
Key Usage: General Purpose
Which I hope are the CA root certificates?
2) I'm not able to get the RA certificate for my PIX.
I installed the scep support to our Microsoft CA running on Win2000 server.
But I have to use the domain administrator user account and password to get the
http://myca/certsrv/mscep/mcsep.dll screen with enrollment challenge password to my browser as described in http://www.getconnected-it.com/pix-ca-enrollment.doc.
I'm afraid the PIX is not providing any user/password while sending erolling request?
Even when I use the challenge password seen via web interface with admin account used, I get certificate request refused error. With debug on, I can see:
CRYPTO_PKI: transaction PKCSReq completed
Crypto CA thread sleeps! Fingerprint: 90064033 50e37098 f67ae9a9 f2c4cffa
CRYPTO_PKI: http connection opened
The certificate enrollment request was denied by CA!
CRYPTO_PKI: received msg of 800 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting
CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 32
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 ea df a4 24 aa f2 cb 2d c4 b3 fd bd 31 74 94 84
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 35 32 63 36 37 35 31 64 34 30 31 66 34 65 35 32 61 66
32 35 63 66 30 35 38 39 31 65 64 35 34 33
CRYPTO_PKI: status = 101: certificate request is rejected
But I can't see any refused request in CA logs.
I think the main problem might be the authorization to //myca/certsrv/mscep/mcsep.dll on the Microsoft CA. How shall I change it ?
I've found the basic problem probably:
Our Microsoft CA is Enterprise, not standalone!
MSCEP Help says:
"If you are requesting a certificate from an enterprise CA, you must have the right to enroll for certificates based on the IPSecIntermediateOffline certificate template in order to access the URL above. By default, a member of the Enterprise Administrators group or the root Domain Administrators group will have the right to enroll for certificates based on the IPSecIntermediateOffline certificate template.
See the procedure entitled Set security permissions and delegate control of certificate templates in Windows 2000 Server online help for the procedure to change enrollment permissions for certificate templates.
By default anyone can view the Web page at the URL above if it is on a stand-alone CA."
So does anybody know the detailed steps how to allow my pix to access //myca/certsrv/mscep/mcsep.dll ?
You should manually grant enroll permission for Authenticated Users on W2K CA
Active Directory Sites and Services > Services > Certificate Templates > IPSECIntermadiateOffline > Security
I've found this article already.
But my understanding is I can grant enroll permission only to an object included in Microsoft Active Directory.
What can I do with my PIX which is not a member of my Windows domain, so it will never be an authenticated user?
PIX should not be a member of Windows domain. But CA with SCEP Add-on should be installed on W2K domain controller server with AD. In other case you couldn't change default setting rigths for Authenticated Users.
There is another way - setup CA on IOS router, but it's relatively new feature ... Try if you want :-)
Our CA is not installed on our domain controller but on another server.
Why it must be installed on DC to be able to change the default settings?
I'm getting sick of Microsoft x Cisco compatibility :-((
I'll ask our CA admin to make some test tomorrow...
I see. I felt the same when I first need to get certificate from MS CA. But it's really working!!!
You may install stand-alone DC without any concern to current windows domain, only for X.509 certificates.
It's not mandatory to install the Ca on a DC to change the settings.
Actually it's strongly encouraged to install the CA on a member server.
To change the permission on a template you should log on with "enterprise admin" user or a user with delegated permission to manage the templates.
Once logged with a user with correct permission you can change template's permission from the CA MMC console
I tried , using
ca identity myca myca_ip:/certsrv/mscep/mscep.dll
PIX config command.
But the /certsrv/mscep directory was not available to everyone on the enterprise CA.
So I tried stand-alone CA and it worked with no problem.
We tried to play with the Enterprise CA to give the permission to require a certificate to everyone, but no success. I've got a feeling I can give this permission only to Active Directory objects, but PIX is not included in MS domain at all.
Finally we came into a deep problem with our production enterprise CA, so the CA admin refused continuing with tests.
We will install a new CA in our lab next month and play with it.
For those following this thread:
I gave up.
I don't have time to make another experiments with PIX/Microsoft incompatibility.
We just installed a dedicated stand-alone Microsoft CA running on Win2003 server.
We added SCEP support and it seems to work OK.
After installing SCEP Add-on on MS CA find mscephlp.htm file. There you will find detailed info for cisco router (PIX similar) config.