07-26-2008 04:02 PM - edited 03-09-2019 09:10 PM
Hi,
I am trying to configure the PIX to use certificates from a MS CA. I have it working fine with ASA5505 and 5510's but when I try to get it working with a PIX 506E and 501 using 6.3 I get the % No CA root cert exists. Use "ca authenticate", message after the ca enroll command.
Can someone give me a heads up on what I might be doing wrong.
Commands Used:
hostname Pix506e
domain-name nesa.lab
ca generate rsa key 512 (and I also tried 1024)
ca identity ciscoserver.nesa.lab 11.11.11.26
ca configure ciscoserver.nesa.lab ca 1 20 crloptional
ca authenticate ciscoserver.nesa.lab
ca enroll ciscoserver.nesa.lab 8EC4CEAD54268142 serial ipaddress
....and that is where the % No CA root cert exists. Use "ca authenticate" shows up.
Any help is appreciated.
07-27-2008 02:23 AM
Hi,
Please post the debug for "ca authenticate".
07-27-2008 04:52 AM
IX506E(config)# debug crypto ca
PIX506E(config)# ca authenticate ciscoserver.nesa.lab
CI thread sleeps!
Crypto CA thread wakes up!
Certificate has the following attributes:
Fingerprint: 23d6b92b c7eb100f c1294e6b 124b7e75
CRYPTO_PKI: http connection opened
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: Error: Invalid format for BER encoding while
CRYPTO_PKI: can not set ca cert object.
CRYPTO_PKI: status = 65535: failed to process RA certificate
Crypto CA thread sleeps!
PIX506E(config)# p!
07-27-2008 08:18 AM
Hi,
You need to set the enrollment mode as "RA" instead of "CA".
Hope this helps.
07-27-2008 08:48 AM
Hi,
I changed it and it still does the same thing. I have included the debug for the ca authenicate again.
Thanks
PIX506E(config)#
PIX506E(config)# ca configure ciscoserver.nesa.lab ra 1 20 crloptional
PIX506E(config)# ca authenticate ciscoserver.nesa.lab
CI thread sleeps!
Crypto CA thread wakes up!
msgsym(GETCARACERT, CRYPTO)!
%Error in connection to Certificate Authority: status = FAIL
CRYPTO_PKI: http connection opened
CRYPTO_PKI: status = 266: failed to verify
CRYPTO_PKI: transaction GetCACert completed
Crypto CA thread sleeps!
PIX506E(config)# ca enroll ciscoserver.nesa.lab F3567C82D9D72346 serial ipaddr$
% No CA root cert exists. Use "ca authenticate"
PIX506E(config)#
PIX506E(config)#
07-27-2008 09:55 AM
There is problem with the enrollment url in the "ca identity" statement
for your case it should be something like
ca identity ciscoserver.nesa.lab 11.11.11.26:/certsrv/mscep/mscep.dll
the syntax is like this
ca identity
Please make this change and check.
Also share the debud and output of "sh run | inc ca identity"
07-27-2008 10:24 AM
I made the changes and the following is what happened.
Thanks,
PIX506E(config)# ca zeroize rsa
PIX506E(config)# ca generate rsa key 512
Keypair generation process begin.
.Success.
Insert Selfsigned Certificate:
30 82 01 9f 30 82 01 49 02 20 66 38 61 37 33 30 64 63 35 38
63 65 30 64 33 31 38 65 37 65 62 36 39 30 37 61 66 63 31 61
65 35 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 4b 31
49 30 0f 06 03 55 04 05 13 08 33 30 32 63 35 61 66 35 30 17
06 03 55 04 03 13 10 50 49 58 35 30 36 45 2e 6e 65 73 61 2e
PIX506E(config)# 09 2a 86 48 86 f7 0d 01 09 02 16 10 50 49
PIX506E(config)# ca identity ciscoserver.nesa.lab 11.11.11.26:/certsrv/mscep/m$
PIX506E(config)# ca configure ciscoserver.nesa.lab ra 1 20 crloptional
PIX506E(config)# ca authenticate ciscoserver.nesa.lab
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status
Certificate has the following attributes:
Fingerprint: fb4f82b6 d1204e94 d83675a7 4f446c2c
CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,
C = CA
CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,
C = CA
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,
C = CAPIX50
CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,
C = CA
Crypto CA thread sleeps!
CI thread wakes up!6E(config)# $lab F3567C82D9D72346 serial ipaddress
CI thread sleeps!
ca enroll ciscoserver.nesa.lab F3567C82D9D72346 serial ipaddr$
%
% Start certificate enrollment ..
% The subject name in the certificate will be: PIX506E.nesa.lab
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
PIX506E(config)#
CRYPTO_PKI: transaction PKCSReq completed
CRYPTO_PKI: status:
Crypto CA thread sleeps!
PIX506E(config)# Fingerprint: 437269d6 62eb2a2e 1bd850da 5532ca47
CRYPTO_PKI: http connection opened
The certificate enrollment request was denied by CA!
CRYPTO_PKI: received msg of 670 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL
CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 32
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 9a 66 93 fd ac 8b 9e f1 90 92 fb 18 a1 52 83 bc
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 66 38 61 37 33 30 64 63 35 38 63 65 30 64 33 31 38 65
37 65 62 36 39 30 37 61 66 63 31 61 65 35
CRYPTO_PKI: status = 101: certificate request is rejected
CRYPTO_PKI: All enrollment requests completed.
CRYPTO_PKI: All enrollment requests completed.
PIX506E(config)#
07-27-2008 12:58 PM
Access this link again and get the enrollment challenge password (this expires within 60mins)
http://11.11.11.26/certsrv/mscep
And now on the PIX try ca enroll again with this new password.
After that check the Application logs on the CA server.
Also check whether the time on the pix is correct.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: