Re: % No CA root cert exists. Use "ca authenticate"

rlewis1951 · ‎07-26-2008

Hi,

I am trying to configure the PIX to use certificates from a MS CA. I have it working fine with ASA5505 and 5510's but when I try to get it working with a PIX 506E and 501 using 6.3 I get the % No CA root cert exists. Use "ca authenticate", message after the ca enroll command.

Can someone give me a heads up on what I might be doing wrong.

Commands Used:

hostname Pix506e

domain-name nesa.lab

ca generate rsa key 512 (and I also tried 1024)

ca identity ciscoserver.nesa.lab 11.11.11.26

ca configure ciscoserver.nesa.lab ca 1 20 crloptional

ca authenticate ciscoserver.nesa.lab

ca enroll ciscoserver.nesa.lab 8EC4CEAD54268142 serial ipaddress

....and that is where the % No CA root cert exists. Use "ca authenticate" shows up.

Any help is appreciated.

dhananjoy chowdhury · ‎07-27-2008

Hi,

Please post the debug for "ca authenticate".

rlewis1951 · ‎07-27-2008

IX506E(config)# debug crypto ca

PIX506E(config)# ca authenticate ciscoserver.nesa.lab

CI thread sleeps!

Crypto CA thread wakes up!

Certificate has the following attributes:

Fingerprint: 23d6b92b c7eb100f c1294e6b 124b7e75

CRYPTO_PKI: http connection opened

CRYPTO_PKI: transaction GetCACert completed

CRYPTO_PKI: Error: Invalid format for BER encoding while

CRYPTO_PKI: can not set ca cert object.

CRYPTO_PKI: status = 65535: failed to process RA certificate

Crypto CA thread sleeps!

PIX506E(config)# p!

dhananjoy chowdhury · ‎07-27-2008

Hi,

You need to set the enrollment mode as "RA" instead of "CA".

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml#baddebugforenrollingwithca

Hope this helps.

rlewis1951 · ‎07-27-2008

Hi,

I changed it and it still does the same thing. I have included the debug for the ca authenicate again.

Thanks

PIX506E(config)#

PIX506E(config)# ca configure ciscoserver.nesa.lab ra 1 20 crloptional

PIX506E(config)# ca authenticate ciscoserver.nesa.lab

CI thread sleeps!

Crypto CA thread wakes up!

msgsym(GETCARACERT, CRYPTO)!

%Error in connection to Certificate Authority: status = FAIL

CRYPTO_PKI: http connection opened

CRYPTO_PKI: status = 266: failed to verify

CRYPTO_PKI: transaction GetCACert completed

Crypto CA thread sleeps!

PIX506E(config)# ca enroll ciscoserver.nesa.lab F3567C82D9D72346 serial ipaddr$

% No CA root cert exists. Use "ca authenticate"

PIX506E(config)#

dhananjoy chowdhury · ‎07-27-2008

There is problem with the enrollment url in the "ca identity" statement

for your case it should be something like

ca identity ciscoserver.nesa.lab 11.11.11.26:/certsrv/mscep/mscep.dll

the syntax is like this

ca identity :/certsrv/mscep/mscep.dll

Please make this change and check.

Also share the debud and output of "sh run | inc ca identity"

rlewis1951 · ‎07-27-2008

I made the changes and the following is what happened.

Thanks,

PIX506E(config)# ca zeroize rsa

PIX506E(config)# ca generate rsa key 512

Keypair generation process begin.

.Success.

Insert Selfsigned Certificate:

30 82 01 9f 30 82 01 49 02 20 66 38 61 37 33 30 64 63 35 38

63 65 30 64 33 31 38 65 37 65 62 36 39 30 37 61 66 63 31 61

65 35 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 4b 31

49 30 0f 06 03 55 04 05 13 08 33 30 32 63 35 61 66 35 30 17

06 03 55 04 03 13 10 50 49 58 35 30 36 45 2e 6e 65 73 61 2e

PIX506E(config)# 09 2a 86 48 86 f7 0d 01 09 02 16 10 50 49

PIX506E(config)# ca identity ciscoserver.nesa.lab 11.11.11.26:/certsrv/mscep/m$

PIX506E(config)# ca configure ciscoserver.nesa.lab ra 1 20 crloptional

PIX506E(config)# ca authenticate ciscoserver.nesa.lab

CI thread sleeps!

Crypto CA thread wakes up!

CRYPTO_PKI: http connection opened

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

Certificate has the following attributes:

Fingerprint: fb4f82b6 d1204e94 d83675a7 4f446c2c

CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,

C = CA

CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,

C = CA

CRYPTO_PKI: transaction GetCACert completed

CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,

C = CAPIX50

CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,

C = CA

Crypto CA thread sleeps!

CI thread wakes up!6E(config)# $lab F3567C82D9D72346 serial ipaddress

CI thread sleeps!

ca enroll ciscoserver.nesa.lab F3567C82D9D72346 serial ipaddr$

%

% Start certificate enrollment ..

% The subject name in the certificate will be: PIX506E.nesa.lab

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

PIX506E(config)#

CRYPTO_PKI: transaction PKCSReq completed

CRYPTO_PKI: status:

Crypto CA thread sleeps!

PIX506E(config)# Fingerprint: 437269d6 62eb2a2e 1bd850da 5532ca47

CRYPTO_PKI: http connection opened

The certificate enrollment request was denied by CA!

CRYPTO_PKI: received msg of 670 bytes

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL

CRYPTO_PKI: signed attr: pki-message-type:

13 01 33

CRYPTO_PKI: signed attr: pki-status:

13 01 32

CRYPTO_PKI: signed attr: pki-recipient-nonce:

04 10 9a 66 93 fd ac 8b 9e f1 90 92 fb 18 a1 52 83 bc

CRYPTO_PKI: signed attr: pki-transaction-id:

13 20 66 38 61 37 33 30 64 63 35 38 63 65 30 64 33 31 38 65

37 65 62 36 39 30 37 61 66 63 31 61 65 35

CRYPTO_PKI: status = 101: certificate request is rejected

CRYPTO_PKI: All enrollment requests completed.

PIX506E(config)#

dhananjoy chowdhury · ‎07-27-2008

Access this link again and get the enrollment challenge password (this expires within 60mins)

http://11.11.11.26/certsrv/mscep

And now on the PIX try ca enroll again with this new password.

After that check the Application logs on the CA server.

Also check whether the time on the pix is correct.