Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

% No CA root cert exists. Use "ca authenticate"

Hi,

I am trying to configure the PIX to use certificates from a MS CA. I have it working fine with ASA5505 and 5510's but when I try to get it working with a PIX 506E and 501 using 6.3 I get the % No CA root cert exists. Use "ca authenticate", message after the ca enroll command.

Can someone give me a heads up on what I might be doing wrong.

Commands Used:

hostname Pix506e

domain-name nesa.lab

ca generate rsa key 512 (and I also tried 1024)

ca identity ciscoserver.nesa.lab 11.11.11.26

ca configure ciscoserver.nesa.lab ca 1 20 crloptional

ca authenticate ciscoserver.nesa.lab

ca enroll ciscoserver.nesa.lab 8EC4CEAD54268142 serial ipaddress

....and that is where the % No CA root cert exists. Use "ca authenticate" shows up.

Any help is appreciated.

7 REPLIES

Re: % No CA root cert exists. Use "ca authenticate"

Hi,

Please post the debug for "ca authenticate".

New Member

Re: % No CA root cert exists. Use "ca authenticate"

IX506E(config)# debug crypto ca

PIX506E(config)# ca authenticate ciscoserver.nesa.lab

CI thread sleeps!

Crypto CA thread wakes up!

Certificate has the following attributes:

Fingerprint: 23d6b92b c7eb100f c1294e6b 124b7e75

CRYPTO_PKI: http connection opened

CRYPTO_PKI: transaction GetCACert completed

CRYPTO_PKI: Error: Invalid format for BER encoding while

CRYPTO_PKI: can not set ca cert object.

CRYPTO_PKI: status = 65535: failed to process RA certificate

Crypto CA thread sleeps!

PIX506E(config)# p!

Re: % No CA root cert exists. Use "ca authenticate"

New Member

Re: % No CA root cert exists. Use "ca authenticate"

Hi,

I changed it and it still does the same thing. I have included the debug for the ca authenicate again.

Thanks

PIX506E(config)#

PIX506E(config)# ca configure ciscoserver.nesa.lab ra 1 20 crloptional

PIX506E(config)# ca authenticate ciscoserver.nesa.lab

CI thread sleeps!

Crypto CA thread wakes up!

msgsym(GETCARACERT, CRYPTO)!

%Error in connection to Certificate Authority: status = FAIL

CRYPTO_PKI: http connection opened

CRYPTO_PKI: status = 266: failed to verify

CRYPTO_PKI: transaction GetCACert completed

Crypto CA thread sleeps!

PIX506E(config)# ca enroll ciscoserver.nesa.lab F3567C82D9D72346 serial ipaddr$

% No CA root cert exists. Use "ca authenticate"

PIX506E(config)#

PIX506E(config)#

Re: % No CA root cert exists. Use "ca authenticate"

There is problem with the enrollment url in the "ca identity" statement

for your case it should be something like

ca identity ciscoserver.nesa.lab 11.11.11.26:/certsrv/mscep/mscep.dll

the syntax is like this

ca identity :/certsrv/mscep/mscep.dll

Please make this change and check.

Also share the debud and output of "sh run | inc ca identity"

New Member

Re: % No CA root cert exists. Use "ca authenticate"

I made the changes and the following is what happened.

Thanks,

PIX506E(config)# ca zeroize rsa

PIX506E(config)# ca generate rsa key 512

Keypair generation process begin.

.Success.

Insert Selfsigned Certificate:

30 82 01 9f 30 82 01 49 02 20 66 38 61 37 33 30 64 63 35 38

63 65 30 64 33 31 38 65 37 65 62 36 39 30 37 61 66 63 31 61

65 35 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 4b 31

49 30 0f 06 03 55 04 05 13 08 33 30 32 63 35 61 66 35 30 17

06 03 55 04 03 13 10 50 49 58 35 30 36 45 2e 6e 65 73 61 2e

PIX506E(config)# 09 2a 86 48 86 f7 0d 01 09 02 16 10 50 49

PIX506E(config)# ca identity ciscoserver.nesa.lab 11.11.11.26:/certsrv/mscep/m$

PIX506E(config)# ca configure ciscoserver.nesa.lab ra 1 20 crloptional

PIX506E(config)# ca authenticate ciscoserver.nesa.lab

CI thread sleeps!

Crypto CA thread wakes up!

CRYPTO_PKI: http connection opened

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

Certificate has the following attributes:

Fingerprint: fb4f82b6 d1204e94 d83675a7 4f446c2c

CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,

C = CA

CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,

C = CA

CRYPTO_PKI: transaction GetCACert completed

CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,

C = CAPIX50

CRYPTO_PKI: Name: EA = student@nesa.lab, CN = Cisco2Student, OU = CSAIT, O = XXXXXXXX, L = XXXXXXX, ST = Ontario,

C = CA

Crypto CA thread sleeps!

CI thread wakes up!6E(config)# $lab F3567C82D9D72346 serial ipaddress

CI thread sleeps!

ca enroll ciscoserver.nesa.lab F3567C82D9D72346 serial ipaddr$

%

% Start certificate enrollment ..

% The subject name in the certificate will be: PIX506E.nesa.lab

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

PIX506E(config)#

CRYPTO_PKI: transaction PKCSReq completed

CRYPTO_PKI: status:

Crypto CA thread sleeps!

PIX506E(config)# Fingerprint: 437269d6 62eb2a2e 1bd850da 5532ca47

CRYPTO_PKI: http connection opened

The certificate enrollment request was denied by CA!

CRYPTO_PKI: received msg of 670 bytes

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecting CRL

CRYPTO_PKI: signed attr: pki-message-type:

13 01 33

CRYPTO_PKI: signed attr: pki-status:

13 01 32

CRYPTO_PKI: signed attr: pki-recipient-nonce:

04 10 9a 66 93 fd ac 8b 9e f1 90 92 fb 18 a1 52 83 bc

CRYPTO_PKI: signed attr: pki-transaction-id:

13 20 66 38 61 37 33 30 64 63 35 38 63 65 30 64 33 31 38 65

37 65 62 36 39 30 37 61 66 63 31 61 65 35

CRYPTO_PKI: status = 101: certificate request is rejected

CRYPTO_PKI: All enrollment requests completed.

CRYPTO_PKI: All enrollment requests completed.

PIX506E(config)#

Re: % No CA root cert exists. Use "ca authenticate"

Access this link again and get the enrollment challenge password (this expires within 60mins)

http://11.11.11.26/certsrv/mscep

And now on the PIX try ca enroll again with this new password.

After that check the Application logs on the CA server.

Also check whether the time on the pix is correct.

528
Views
5
Helpful
7
Replies