Re: PIX fails on "ca authenticate" command

sam · ‎10-16-2002

Trying to do a "ca authenticate" on PIX 506 running 6.1.1 software, in order to get a certificate from a Microsoft CA server

ca identity stage 172.16.0.7:/certsrv/mscep/mscep.dll

ca configure stage ra 1 20

ca authenticate stage

The debug output is:

Error is

CRYPTO_PKI: status = 266: failed to verify

CRYPTO_PKI: transaction GetCACert completed

I put a sniffer on this communication and it appears that the PIX is trying to go to 172.16.0.7:/certsrv/mscep/mscep.dll/pkiclient.exe.

In other words, the PIX is adding a "pkiclient.exe" to the end of the URL no matter what. The microsoft ca server does not have a pkiclient.exe file.

Any ideas what to do next?

Nairi Adamian · ‎10-16-2002

The error message you are getting indicates that incorrect URL syntax was used.

Can you try modifying the URL to this:

172.16.0.7:/certserv/mscep/mscep.dll

seems like you are missing the "e" in certserv.

Hope this helps,

-Nairi

sam · ‎10-16-2002

Ummmm, no.

certsrv is correct. You can easily verify that by looking at Microsoft Certificate Server.

Thanks anyways.

You know this problem is exasperating! How can Microsoft have a server which uses mscep.dll , and then the cisco pix requires it to be called pkiclient.exe? There is a major disconnect between these two vendors. Or I am missing something ( which I probably am!).

dtorre · ‎10-19-2002

Really don't know what is happening but I did exactly the same with my pix 515 (6.11) and my Microsoft CA and it worked out.

I gave these commands:

ca generate rsa key 1024

ca identity myca 10.1.1.60:/certsrv/mscep/mscep.dll

ca configure myca ra 1 20 crloptional

ca authenticate myca

ca enroll myca password

Although the error you are seeing does not seem to be a CA error, are you sure you installed the mscep correctly? Did you enable anonymous access to the mscep virtual directory ?

Hope it helps.

C.

sam · ‎10-22-2002

Anonymous access is allowed for the website.

The question remains "Why should pkiclient.exe appear anywhere in the http communication?" As you can see, the URL points to :/certsrv/mscep/mscep.dll, which obviously makes no reference to pkiclient.exe.

Of course, the fact that you say that you can make this work indicates that the problem is on my end. The only difference here is that you used a pix 515 and I have a pix 506.

gfullage · ‎10-22-2002

If you browse to http://172.16.0.7/certsrv/mscep/mscep.dll, do you get a web page showing a fingerprint. If not then the PIX is not going to be able to download the cert.

Your config looks correct, you did do a "cry gen rsa key xxx" command before this, correct? Not sure what the pkiclient.exe stuff is, never noticed that in a Sniffer trace before, but it definately does work, I've done it 100's of times.

sam · ‎10-23-2002

Yes, I do get that web page.

Did you use a PIX 506 ?

sam · ‎10-31-2002

After talking to TAC, it looks like the solution should be:

1. Uninstall everything

2. Install Certification Server. Reboot

3. Install MSCEP. Reboot

It seems likely that the microsoft server is the problem ( although I HAD installed the mscep already and it wasn't working. )

In other words, the solution is to "reboot more often" during the microsoft installation.

I consider this issue closed now. Thanks for everyones help.