Solved: Microsoft subordinate CA w/ Cisco router / PIX 501

jennette_o · ‎12-05-2002

I am trying to get digital certificates to work on my Cisco 2621XM router. I also

need to set them up on three PIX 501 firewalls but haven't gotten that far yet. I

do not have access to the root CA but could bring it back online if I had to. I

have a Microsoft standalone subordinate CA which I want to use to issue all

certificates.

Can this be done, both with the router and the firewalls? If so, which version

of the IOS do I need? I have installed the SCEP add-on to the CA. I cannot get

this to work and am beginning to wonder if it is even possible. If this does

work, how can I get it to work? I have combed all of the documents Cisco has

on the subject and have gotten nowhere.

Any assistance would be greatly appreciated. Thanks.

kdurrett · ‎12-06-2002

Jennnette,

I sent you that document, let me know how it goes or if you have any questions.

Kurtis Durrett

View solution in original post

kdurrett · ‎12-05-2002

Ya it works. Depending on what features you "need" will determine what version of IOS and pix you'll need. It also makes a difference on how the server is set up. Here's a link on setting up pix and routers with certificates.

http://www.cisco.com/warp/public/707/lan_to_lan_ipsec_pix_rtr_cert.html

Assuming of course your certificate server is configured correctly, which is always a problem. I can send you a doc that I made and used hundreds of times to configure certs on pix and routers as well as setting up the server. With enough steps to troubleshoot it as well. But its not been updated for some of the new working features which you may/maynot need because at the time they didnt work. If you have problems, make sure you post your cert debugs as well as the steps you took to obtain them on the router.

Kurtis Durrett

jennette_o · ‎12-05-2002

That link was to one of the many documents I have printed out and couldn't get to work :-(

I do get a certificate -- sort of. After all the hex data finishes scrolling, I get these debugging messages, each repeated several times:

Error: Certificate, private key or CRL was not found while selecting certificate chain

WARNING: A certificate chain could not be constructed while selecting certificate status

Error: Code 0x0000 while selecting self signed certificate

Can not get name ava count

Can not decode router sub name

After repeating these messages several times, it finally gives up and fails to get the certificate. I think the end status code is 324.

I can't guarantee my CA is set up correctly, since I'm pretty new to it. In accordance with MS guidelines, I altered the AIA and CDP paths to have a distribution point on my online CA. This is an accessible HTTP location.

The time on my router is correct. I have "enrollment mode ra" set. I've tried it with "crl optional" but no difference.

If you could send me your document I wouldn't mind taking a look at it. Email address is jennette_o@yahoo.com. Thanks much.

ddelchev · ‎12-05-2002

It is very typical problem. Please look first at the certificate server. If you use microsoft certificate server you should aproove any certificate that is issued. This is not done authomatically, so you should do you by hand on the MMC console. Anyway - if the certificate server says that the certificate is valid and enroled (sended to the client) don't worry. This is also typical issue. Probably you are running in Cisco IOS bug. So you should open a case in TAC.

kdurrett · ‎12-06-2002

Jennnette,

I sent you that document, let me know how it goes or if you have any questions.

Kurtis Durrett

adrian.watmough · ‎02-07-2003

Hi,

Would it be possible to send me one? I think my issue could be related to the setup of the CA.