Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX and Microsoft CA certificate Server

I am trying to configure microsoft CA Certificate Server with the PIX, and I am unable to obtain the CA or RA certificate, so, the certificate request fails.

I have followed the instructions I found in the Instutor site, but it doesn't work for me.

First, I installed the CA in standalone mode, and gave a certificate to it.

Later I took the cepsetup.exe from the Windows 2000 resource toolkit and intalled SCEP support for Microsoft CA. I was requested to enter the information for a RA certificate, so I did. After reseting, of course, I typed the following commands from the pix:

clock set "current time, the same as in the CA"

ip domain-name example.com

ip hostname pix

ca generate rsa key 512

ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll

ca configure alexnap ra 1 5 crloptional

and NOW.....

when I type ca authenticate alexnap I obtanin the following

sanjose(config)# ca authenticate alexnap

C

IC trhryeadp tsol eCeAp st!hread wakes up!

CRYPTO_PKI: http connection opened

PKI: key process suspended and continued

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting

certificate status

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting

certificate status

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: status = 0: failed to get ca name from cert

CRYPTO_PKI: can not set ra public key

CRYPTO_PKI: status = 0: failed to get ca name from cert

CRYPTO_PKI: can not set ra public key

CRYPTO_PKI: transaction GetCACert completed

Certificate has the following attributes:

Fingerprint: 8698efea 67ec44a8 5c3abb18 a3b3da54

CRYPTO_PKI: status = 0: failed to get ca name from cert

CRYPTO_PKI: can not set ra public key

CRYPTO_PKI: status = 0: failed to get ca name from cert

CRYPTO_PKI: can not set ra public key

Crypto CA thread sleeps!

CI thread wakes

INDICATING ME THAT THE RA AND CA PUBLIC KEYS COULD NOT BE SET.

NOW WHEN I REQUEST A CERTIFICATE..........I OBTAIN THE FOLLOWING MESSAGE FROM THE DEBUG CRYPTO CA..

sanjose(config)# CA ENROLL ALEXNAP CISCO

%

C%r Sytaprtto cCeAr titfihcraetaed enroll mweankt ..

% Thee subject names in utphe ce!rtificate will be: sanjose.softneteurope.com

CI thread sleeps!

CI thread wakes up!% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

sanjose(config)#

sanjose(config)#

sanjose(config)#

CRYPTO_PKI: transaction PKCSReq completed

CRYPTO_PKI: status:

Crypto CA thread sleeps!

CRYPTO_PKI: status = 0: failed to select RA encrypt cert

CRYPTO_PKI: status = 65535: failed to set up peer auth context

CRYPTO_PKI: status = 65535: fail to send out pkcsreq

CRYPTO__PKI: All sockets are closed.

WHAT IS GOING ON HERE, ANY HELP, OR SHOULD WE CHANGE THE CA OR SHOULD WE CONSTRUCT THE VPN WITH WINDOWS 2000 ( A SHAME)

3 REPLIES
New Member

Re: PIX and Microsoft CA certificate Server

One thing you should try if you can is to put the Microsoft Cert outside the firewall.

Two is on this line:

ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll

put a forward slash after the mscep.dll example:

ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll/

Because I had the similar issue myself. Hope that helps

Tony Cooper

New Member

Re: PIX and Microsoft CA certificate Server

thank you tony, very kind of you but, it didn't work for me. May be there is s problem with versions. My mscep.dll is 5.131.2155.1. do you have a diferent (more recent version?). In fact, reading the releases for VPN client version 1.1, I found that VPN 1.1 will work only with version 5.131.2199.1, aas long as I remember. could you send me the version you have, so I could try with it?.

thank you again,

regards,

alexnap

New Member

Re: PIX and Microsoft CA certificate Server

Ok, I found the solution for this problem. It was fairly simple. for you who have the Windows 2000 in spanish, the cetsetup.exe works only with the english version of windows Nt 2000.

693
Views
0
Helpful
3
Replies
CreatePlease login to create content