06-20-2003 10:55 AM - edited 02-20-2020 10:48 PM
Hello, and Help!
I am following instructions that I have from our PIX software 6.3 manual to configure the pix to use certificates. The hostname is setup, the domain-name is setup. I have generated the rsa key, I have declared the CA via the ca identity command. I have configured the paramaters for communication between the pix and Microsoft 2003 CA server via the ca configure command. I am at the step to authenticate the CA by obtaining its public key and its certificate: ca authenticate ca_nickname [fingerprint].
I am getting the following message:
fw1(config)# ca authenticate ca_rad
CI thread sleeps!
Crypto CA thread wakes up!
fw1(config)# nnection opened
CRYPTO_PKI: status = 266: failed to verify
CRYPTO_PKI: transaction GetCACert completed
Crypto CA thread sleeps!
CI thread wakes up!
I have found information that indicates my identity url location is incorrect, yet I have double checked that via a web browser. I am at a loss as to what the problem is, to my knowledge what I am suppose to receive is the fingerprint for comparison. Thanks for any help offered.
-Steve
Solved! Go to Solution.
06-22-2003 09:56 PM
The correct URL for a MS CA server should be the following:
> http://
You can actually type this into any web browser and you should get a page with a fingerprint on it. If you don't get this, you probably haven't loaded the mscep.dll onto the CA server. If you get prompted for a username/password, then you configured the CA wrong when you installed it, there's no way the PIX can enter in the username/password here and so it'll fail. Reinstall the CA and there's an option during the install that talks about passwords, uncheck it (sorry, it's been a while since I installed this so my memory is pretty vague).
If the fingerprint shows up correctly when using a standard web browser, then everything should be loaded on the CA correctly and the PIX should be able to get it. Make sure you've specified the CA as an "RA", not a "CA" under the identity command. MS CA's act as an RA (registration authority) to the PIX.
06-22-2003 09:56 PM
The correct URL for a MS CA server should be the following:
> http://
You can actually type this into any web browser and you should get a page with a fingerprint on it. If you don't get this, you probably haven't loaded the mscep.dll onto the CA server. If you get prompted for a username/password, then you configured the CA wrong when you installed it, there's no way the PIX can enter in the username/password here and so it'll fail. Reinstall the CA and there's an option during the install that talks about passwords, uncheck it (sorry, it's been a while since I installed this so my memory is pretty vague).
If the fingerprint shows up correctly when using a standard web browser, then everything should be loaded on the CA correctly and the PIX should be able to get it. Make sure you've specified the CA as an "RA", not a "CA" under the identity command. MS CA's act as an RA (registration authority) to the PIX.
06-24-2003 07:09 AM
Thanks, You were correct I didn't install the MSCEP from the 2003 resource kit. I have done so and tested. I know get prompted for a username and password. I tried uninstalling and reinstalling the CA server but did not find the password options you spoke of. I did however experiment with the MSCEP setup and found that if I didn't require a challenge phrase then I didn't get prompted for a username/password when authenticating the ca. Of course I want to require a challenge phrase, not sure where to look from here. If you happen to remember what causes this behavior please let me know, thanks again for getting me to this point.
-Steve
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: