Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2811
Views
0
Helpful
3
Replies

PIX and Microsoft CA certificate Server

jcazila
Level 1
Level 1

‎02-21-2001 02:24 AM - edited ‎02-20-2020 09:47 PM

I am trying to configure microsoft CA Certificate Server with the PIX, and I am unable to obtain the CA or RA certificate, so, the certificate request fails.

I have followed the instructions I found in the Instutor site, but it doesn't work for me.

First, I installed the CA in standalone mode, and gave a certificate to it.

Later I took the cepsetup.exe from the Windows 2000 resource toolkit and intalled SCEP support for Microsoft CA. I was requested to enter the information for a RA certificate, so I did. After reseting, of course, I typed the following commands from the pix:

clock set "current time, the same as in the CA"

ip domain-name example.com

ip hostname pix

ca generate rsa key 512

ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll

ca configure alexnap ra 1 5 crloptional

and NOW.....

when I type ca authenticate alexnap I obtanin the following

sanjose(config)# ca authenticate alexnap

C

IC trhryeadp tsol eCeAp st!hread wakes up!

CRYPTO_PKI: http connection opened

PKI: key process suspended and continued

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting

certificate status

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting

certificate status

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: status = 0: failed to get ca name from cert

CRYPTO_PKI: can not set ra public key

CRYPTO_PKI: status = 0: failed to get ca name from cert

CRYPTO_PKI: can not set ra public key

CRYPTO_PKI: transaction GetCACert completed

Certificate has the following attributes:

Fingerprint: 8698efea 67ec44a8 5c3abb18 a3b3da54

CRYPTO_PKI: status = 0: failed to get ca name from cert

CRYPTO_PKI: can not set ra public key

CRYPTO_PKI: status = 0: failed to get ca name from cert

CRYPTO_PKI: can not set ra public key

Crypto CA thread sleeps!

CI thread wakes

INDICATING ME THAT THE RA AND CA PUBLIC KEYS COULD NOT BE SET.

NOW WHEN I REQUEST A CERTIFICATE..........I OBTAIN THE FOLLOWING MESSAGE FROM THE DEBUG CRYPTO CA..

sanjose(config)# CA ENROLL ALEXNAP CISCO

%

C%r Sytaprtto cCeAr titfihcraetaed enroll mweankt ..

% Thee subject names in utphe ce!rtificate will be: sanjose.softneteurope.com

CI thread sleeps!

CI thread wakes up!% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

sanjose(config)#

sanjose(config)#

sanjose(config)#

CRYPTO_PKI: transaction PKCSReq completed

CRYPTO_PKI: status:

Crypto CA thread sleeps!

CRYPTO_PKI: status = 0: failed to select RA encrypt cert

CRYPTO_PKI: status = 65535: failed to set up peer auth context

CRYPTO_PKI: status = 65535: fail to send out pkcsreq

CRYPTO__PKI: All sockets are closed.

WHAT IS GOING ON HERE, ANY HELP, OR SHOULD WE CHANGE THE CA OR SHOULD WE CONSTRUCT THE VPN WITH WINDOWS 2000 ( A SHAME)

0 Helpful
3 Replies 3

tony
Level 1
Level 1

‎02-23-2001 06:11 PM

One thing you should try if you can is to put the Microsoft Cert outside the firewall.

Two is on this line:

ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll

put a forward slash after the mscep.dll example:

ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll/

Because I had the similar issue myself. Hope that helps

Tony Cooper

0 Helpful

jcazila
Level 1
Level 1
In response to tony

‎02-28-2001 07:02 AM

thank you tony, very kind of you but, it didn't work for me. May be there is s problem with versions. My mscep.dll is 5.131.2155.1. do you have a diferent (more recent version?). In fact, reading the releases for VPN client version 1.1, I found that VPN 1.1 will work only with version 5.131.2199.1, aas long as I remember. could you send me the version you have, so I could try with it?.

thank you again,

regards,

alexnap

0 Helpful

jcazila
Level 1
Level 1
In response to jcazila

‎04-04-2001 06:01 AM

Ok, I found the solution for this problem. It was fairly simple. for you who have the Windows 2000 in spanish, the cetsetup.exe works only with the english version of windows Nt 2000.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card