Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 525 - MS Win 200 CA - Pix does not authenticate CA

Hi,

I am using MS Certificate Server on a Windows 2000 server to issue certificate. I've installed the ressource kit add-on MSCEP. I've looked Cisco's technical documentations to configure my PIX.

Pix IOS version is 6.3.

ca gen rsa 1024 -> Success

ca ident cavpn <CA_IP_ADDESS>:/certsrv/mscep/mscep.dll

ca conf cavpn 1 20 crlopt

ca auth cavpn -> nothing occurs

ca enroll cavpn -> error message : no root certificate -> you must do ca authenticate before

I've used debug commannds to figure out what happens :

debug crypto ca :

CRYPTO_PKI: status = 266: failed to verify

CRYPTO_PKI: transaction GetCACert completed

Crypto CA thread sleeps!

debug packet between PIX and CA :

--------- PACKET ----------IP --

<PIX IP ADDRESS> ==> <CA IP ADDRESS>

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x81

id = 0x8902 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x6 chksum = 0xe3e

-- TCP --

source port = 0x422 dest port = 0x50

ack psh

seq = 0x42051996

ack = 0x2e9b0773

hlen = 0x5 window = 0x1000

checksum = 0x53c8 urg = 0x0

-- DATA --

00000028: 47 45 54 20 2f 63 65 72 74 73 72 76 2f 6d 73 63 | GET /certsrv/msc

00000038: 65 70 2f 6d 73 63 65 70 2e 64 6c 6c 2f 70 6b 69 | ep/mscep.dll/pki

00000048: 63 6c 69 65 6e 74 2e 65 78 65 3f 6f 70 65 72 61 | client.exe?opera

00000058: 74 69 6f 6e 3d 47 65 74 43 41 43 65 72 74 26 6d | tion=GetCACert&m

--------- PACKET --------- -- IP --

<CA IP ADDRESS> ==> <PIX IP ADDRESS>

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x126

id = 0x1157 flags = 0x40 frag off=0x0

ttl = 0x7f proto=0x6 chksum = 0xc544

-- TCP --

source port = 0x50 dest port = 0x422

ack psh

seq = 0x2e9b0773

ack = 0x420519ef

hlen = 0x5 window = 0x4417

checksum = 0x59fd urg = 0x0

-- DATA --

00000020: 48 54 54 50 2f 31 2e 31 | HTTP/1.1

00000030: 20 34 30 34 20 4f 62 6a 65 63 74 20 4e 6f 74 20 | 404 Object Not

00000040: 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 4d | Found..Server: M

00000050: 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 35 2e 30 | icrosoft-IIS/5.0

00000060: 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 31 20 | ..Date: Wed, 21

00000070: 4a 61 6e 20 32 30 30 34 20 31 36 3a 34 39 3a 32 | Jan 2004 16:49:2

00000080: 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 | 0 GM

So it seems that IIS answer Object not found.

So I've used Internet Explorer to reach : http://CA_IP_ADDRESS/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=msca

And I received the CA certificate ...

I've spent my whole afternoon browsing forums to find a solution, and didn't find anything . Any help will be welcome.

Michel

2 REPLIES
Cisco Employee

Re: PIX 525 - MS Win 200 CA - Pix does not authenticate CA

Your "ca conf" command should be the following:

ca configure cavpn ra 1 20 crloptional

Note the "ra" in there, you seem to have left that out. If you've been putting "ca" here then this is wrong for a MS Ca server, they act as an RA and so the PIX needs to specify that. Also make sure your CA server is set up as a Standalone root CA, not a sub-ordinate one otherwise it'll fail.

See this (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/sit2site.htm#1006943) for details.

New Member

Re: PIX 525 - MS Win 200 CA - Pix does not authenticate CA

Actualle, my ca conf is exactly this one with the "ra" in it. If it does not appear in my posting, it is a typing mistake. I'd better use cut/paste next time instead of yping it ... :)

By the way, if you don't type the ca or ra in the conf command, the syntax is incorrect, and the pix refuse it.

SO I still have my problem, certsrv answer objett not found to PIX auth request, and the same request issued with IE give a correct result

116
Views
0
Helpful
2
Replies
CreatePlease to create content