Solved: Re: MS CA Server & PIX 515

admin_2 · ‎06-20-2003

Hello, and Help!

I am following instructions that I have from our PIX software 6.3 manual to configure the pix to use certificates. The hostname is setup, the domain-name is setup. I have generated the rsa key, I have declared the CA via the ca identity command. I have configured the paramaters for communication between the pix and Microsoft 2003 CA server via the ca configure command. I am at the step to authenticate the CA by obtaining its public key and its certificate: ca authenticate ca_nickname [fingerprint].

I am getting the following message:

fw1(config)# ca authenticate ca_rad

CI thread sleeps!

Crypto CA thread wakes up!

fw1(config)# nnection opened

CRYPTO_PKI: status = 266: failed to verify

CRYPTO_PKI: transaction GetCACert completed

Crypto CA thread sleeps!

CI thread wakes up!

I have found information that indicates my identity url location is incorrect, yet I have double checked that via a web browser. I am at a loss as to what the problem is, to my knowledge what I am suppose to receive is the fingerprint for comparison. Thanks for any help offered.

-Steve

gfullage · ‎06-22-2003

The correct URL for a MS CA server should be the following:

> http:///certsrv/mscep/mscep.dll

You can actually type this into any web browser and you should get a page with a fingerprint on it. If you don't get this, you probably haven't loaded the mscep.dll onto the CA server. If you get prompted for a username/password, then you configured the CA wrong when you installed it, there's no way the PIX can enter in the username/password here and so it'll fail. Reinstall the CA and there's an option during the install that talks about passwords, uncheck it (sorry, it's been a while since I installed this so my memory is pretty vague).

If the fingerprint shows up correctly when using a standard web browser, then everything should be loaded on the CA correctly and the PIX should be able to get it. Make sure you've specified the CA as an "RA", not a "CA" under the identity command. MS CA's act as an RA (registration authority) to the PIX.

View solution in original post

gfullage · ‎06-22-2003

The correct URL for a MS CA server should be the following:

> http:///certsrv/mscep/mscep.dll

You can actually type this into any web browser and you should get a page with a fingerprint on it. If you don't get this, you probably haven't loaded the mscep.dll onto the CA server. If you get prompted for a username/password, then you configured the CA wrong when you installed it, there's no way the PIX can enter in the username/password here and so it'll fail. Reinstall the CA and there's an option during the install that talks about passwords, uncheck it (sorry, it's been a while since I installed this so my memory is pretty vague).

If the fingerprint shows up correctly when using a standard web browser, then everything should be loaded on the CA correctly and the PIX should be able to get it. Make sure you've specified the CA as an "RA", not a "CA" under the identity command. MS CA's act as an RA (registration authority) to the PIX.

Report Inappropriate Content · ‎06-24-2003

Thanks, You were correct I didn't install the MSCEP from the 2003 resource kit. I have done so and tested. I know get prompted for a username and password. I tried uninstalling and reinstalling the CA server but did not find the password options you spoke of. I did however experiment with the MSCEP setup and found that if I didn't require a challenge phrase then I didn't get prompted for a username/password when authenticating the ca. Of course I want to require a challenge phrase, not sure where to look from here. If you happen to remember what causes this behavior please let me know, thanks again for getting me to this point.

-Steve