Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX, IPSec Certs, MS CA Server and CRL - Is it really supposed to work?!?!?

I've been trying to gt my PIX to talk to a Microsoft CA Server and be able to use CRLs. I'm coming to the conclusion that this really is not a feasible option.

I can get the PIX to use a MS CA Server with the CRL Optional parameter, though what is the point in not using the CRL? The main reason I want to use Certs is the ability to revoke a Certificate and make it so the user no longer has access to the network and so the users don’t need to remember a user name and password, which can be shared.

There are a bunch of unknowns with the way this is supposed to work.

The MS CA Server is set up as a standalone CA root server. This is because the Entrprise CA Server will Automatically Issue a Cert to anyone who wants one regardless of who is asking for it. The Stand alone will allow you to approve requests as they are asked.

The Standalone will not publish the CRL to the AD via the Exit Module. The option is Grayed out. So I’m not sure the CRL is getting to the AD.

I’m currently getting the following Error when requesting a CRL from my CA.

CI thread sleeps!

Crypto CA thread wakes up!

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: transaction GetCRL completed

Crypto CA thread sleeps!

The CRL Distribution points in the Cert assigned to the PIX are:

[1]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=ldap:///CN=vpnca,CN=caserver,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=OURDOMAIN,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint

[2]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=http://caserver.ourdomain.com/CertEnroll/vpnca.crl

I believe the PIX used LDAP to get the CRL, though I’m not sure how it contacts the server.

I’ve added the ‘names’ command and added the command

name <ip> caserver.ourdomain.com

I can ping caserver.ourdomain.com and it replies, so I know it can reach the server that way.

I’m about ready to file chapter 11 on this whole project...

Scott<-

3 REPLIES
Bronze

Re: PIX, IPSec Certs, MS CA Server and CRL - Is it really suppos

The pix currently only supports one CRL DP and it should be the CA server where it got its

certificate.

It should show in the certificate where it polls for CRls:

CN = CA, OU = VSECBU, O = Cisco, C = US

Check if your CA server is also your CRL DP?

PIX will get the right CRL DP during isakmp negotiation and during

automatic update but will only get the CRL from the CA server if you manually issue ca crl request

.

Can you try if initially after getting a certificate, check if the Pix certificate has the DP? Then

check the certificate again after doing a ca crl request . If the dp is lost after

requesting it manually, then we are hitting a bug.

New Member

Re: PIX, IPSec Certs, MS CA Server and CRL - Is it really suppos

My CA Server is a Win2000 AD DC and the CA Server is running in Standalone Root Mode. Though the Info from the CA is stored in AD.

I can use ADSI Edit to Go through the AD via the URI of the LDAP DP and see that the CRL object is in the AD.

How do I know if the PIX has the DP? I can look at the Cert Assigned to the PIX on the CA Server and it has the HTTP and the LDAP DP.

If the PIX only Supports one DP, could it be looking at the HTTP DP, as its listed First and then error out since its not LDAP?

Thank you for your assistance.

Scott<-

New Member

Re: PIX, IPSec Certs, MS CA Server and CRL - Is it really suppos

Same setup, same problem! Do you have a solution for this problem already?

Thanks!

Bert Koelewijn

152
Views
0
Helpful
3
Replies