12-05-2002 01:02 PM - edited 02-20-2020 10:24 PM
I am trying to get digital certificates to work on my Cisco 2621XM router. I also
need to set them up on three PIX 501 firewalls but haven't gotten that far yet. I
do not have access to the root CA but could bring it back online if I had to. I
have a Microsoft standalone subordinate CA which I want to use to issue all
certificates.
Can this be done, both with the router and the firewalls? If so, which version
of the IOS do I need? I have installed the SCEP add-on to the CA. I cannot get
this to work and am beginning to wonder if it is even possible. If this does
work, how can I get it to work? I have combed all of the documents Cisco has
on the subject and have gotten nowhere.
Any assistance would be greatly appreciated. Thanks.
Solved! Go to Solution.
12-06-2002 10:02 AM
Jennnette,
I sent you that document, let me know how it goes or if you have any questions.
Kurtis Durrett
12-05-2002 01:14 PM
Ya it works. Depending on what features you "need" will determine what version of IOS and pix you'll need. It also makes a difference on how the server is set up. Here's a link on setting up pix and routers with certificates.
http://www.cisco.com/warp/public/707/lan_to_lan_ipsec_pix_rtr_cert.html
Assuming of course your certificate server is configured correctly, which is always a problem. I can send you a doc that I made and used hundreds of times to configure certs on pix and routers as well as setting up the server. With enough steps to troubleshoot it as well. But its not been updated for some of the new working features which you may/maynot need because at the time they didnt work. If you have problems, make sure you post your cert debugs as well as the steps you took to obtain them on the router.
Kurtis Durrett
12-05-2002 01:46 PM
That link was to one of the many documents I have printed out and couldn't get to work :-(
I do get a certificate -- sort of. After all the hex data finishes scrolling, I get these debugging messages, each repeated several times:
Error: Certificate, private key or CRL was not found while selecting certificate chain
WARNING: A certificate chain could not be constructed while selecting certificate status
Error: Code 0x0000 while selecting self signed certificate
Can not get name ava count
Can not decode router sub name
After repeating these messages several times, it finally gives up and fails to get the certificate. I think the end status code is 324.
I can't guarantee my CA is set up correctly, since I'm pretty new to it. In accordance with MS guidelines, I altered the AIA and CDP paths to have a distribution point on my online CA. This is an accessible HTTP location.
The time on my router is correct. I have "enrollment mode ra" set. I've tried it with "crl optional" but no difference.
If you could send me your document I wouldn't mind taking a look at it. Email address is jennette_o@yahoo.com. Thanks much.
12-05-2002 03:35 PM
It is very typical problem. Please look first at the certificate server. If you use microsoft certificate server you should aproove any certificate that is issued. This is not done authomatically, so you should do you by hand on the MMC console. Anyway - if the certificate server says that the certificate is valid and enroled (sended to the client) don't worry. This is also typical issue. Probably you are running in Cisco IOS bug. So you should open a case in TAC.
12-06-2002 10:02 AM
Jennnette,
I sent you that document, let me know how it goes or if you have any questions.
Kurtis Durrett
02-07-2003 12:30 PM
Hi,
Would it be possible to send me one? I think my issue could be related to the setup of the CA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide