10-16-2002 09:19 AM - edited 02-20-2020 10:18 PM
Trying to do a "ca authenticate" on PIX 506 running 6.1.1 software, in order to get a certificate from a Microsoft CA server
ca identity stage 172.16.0.7:/certsrv/mscep/mscep.dll
ca configure stage ra 1 20
ca authenticate stage
The debug output is:
Error is
CRYPTO_PKI: status = 266: failed to verify
CRYPTO_PKI: transaction GetCACert completed
I put a sniffer on this communication and it appears that the PIX is trying to go to 172.16.0.7:/certsrv/mscep/mscep.dll/pkiclient.exe.
In other words, the PIX is adding a "pkiclient.exe" to the end of the URL no matter what. The microsoft ca server does not have a pkiclient.exe file.
Any ideas what to do next?
10-16-2002 03:55 PM
The error message you are getting indicates that incorrect URL syntax was used.
Can you try modifying the URL to this:
172.16.0.7:/certserv/mscep/mscep.dll
seems like you are missing the "e" in certserv.
Hope this helps,
-Nairi
10-16-2002 04:52 PM
Ummmm, no.
certsrv is correct. You can easily verify that by looking at Microsoft Certificate Server.
Thanks anyways.
You know this problem is exasperating! How can Microsoft have a server which uses mscep.dll , and then the cisco pix requires it to be called pkiclient.exe? There is a major disconnect between these two vendors. Or I am missing something ( which I probably am!).
10-19-2002 09:23 AM
Really don't know what is happening but I did exactly the same with my pix 515 (6.11) and my Microsoft CA and it worked out.
I gave these commands:
ca generate rsa key 1024
ca identity myca 10.1.1.60:/certsrv/mscep/mscep.dll
ca configure myca ra 1 20 crloptional
ca authenticate myca
ca enroll myca password
Although the error you are seeing does not seem to be a CA error, are you sure you installed the mscep correctly? Did you enable anonymous access to the mscep virtual directory ?
Hope it helps.
C.
10-22-2002 12:14 PM
Anonymous access is allowed for the website.
The question remains "Why should pkiclient.exe appear anywhere in the http communication?" As you can see, the URL points to :/certsrv/mscep/mscep.dll, which obviously makes no reference to pkiclient.exe.
Of course, the fact that you say that you can make this work indicates that the problem is on my end. The only difference here is that you used a pix 515 and I have a pix 506.
10-22-2002 10:05 PM
If you browse to http://172.16.0.7/certsrv/mscep/mscep.dll, do you get a web page showing a fingerprint. If not then the PIX is not going to be able to download the cert.
Your config looks correct, you did do a "cry gen rsa key xxx" command before this, correct? Not sure what the pkiclient.exe stuff is, never noticed that in a Sniffer trace before, but it definately does work, I've done it 100's of times.
10-23-2002 06:31 AM
Yes, I do get that web page.
Did you use a PIX 506 ?
10-31-2002 06:27 AM
After talking to TAC, it looks like the solution should be:
1. Uninstall everything
2. Install Certification Server. Reboot
3. Install MSCEP. Reboot
It seems likely that the microsoft server is the problem ( although I HAD installed the mscep already and it wasn't working. )
In other words, the solution is to "reboot more often" during the microsoft installation.
I consider this issue closed now. Thanks for everyones help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: