PIX, IPSec Certs, MS CA Server and CRL - Is it really supposed to work?!?!?
I've been trying to gt my PIX to talk to a Microsoft CA Server and be able to use CRLs. I'm coming to the conclusion that this really is not a feasible option.
I can get the PIX to use a MS CA Server with the CRL Optional parameter, though what is the point in not using the CRL? The main reason I want to use Certs is the ability to revoke a Certificate and make it so the user no longer has access to the network and so the users dont need to remember a user name and password, which can be shared.
There are a bunch of unknowns with the way this is supposed to work.
The MS CA Server is set up as a standalone CA root server. This is because the Entrprise CA Server will Automatically Issue a Cert to anyone who wants one regardless of who is asking for it. The Stand alone will allow you to approve requests as they are asked.
The Standalone will not publish the CRL to the AD via the Exit Module. The option is Grayed out. So Im not sure the CRL is getting to the AD.
Im currently getting the following Error when requesting a CRL from my CA.
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: transaction GetCRL completed
Crypto CA thread sleeps!
The CRL Distribution points in the Cert assigned to the PIX are:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...