Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PKI Certificate

Hi

I have defined a PKI trustpoint on 871 but whilst authentication CA i get the following error:

Nov 6 10:57:05.370: CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=Synergy-CA HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Nov 6 10:57:05.370: CRYPTO_PKI: locked trustpoint Synergy-CA, refcount is 1

Nov 6 10:57:05.386: CRYPTO_PKI: http connection opened

Nov 6 10:57:05.386: CRYPTO_PKI: unlocked trustpoint Synergy-CA, refcount is 0

Nov 6 10:57:05.386: CRYPTO_PKI: locked trustpoint Synergy-CA, refcount is 1

Nov 6 10:57:05.598: CRYPTO_PKI: unlocked trustpoint Synergy-CA, refcount is 0

Nov 6 10:57:05.598: CRYPTO_PKI: HTTP response header:

HTTP/1.1 200 OK

Content-Length: 4274

Content-Type: application/x-x509-ca-ra-cert

Server: Microsoft-IIS/7.0

Date: Thu, 06 Nov 2008 10:56:47 GMT

Connection: close

Content-Type indicates we have received CA and RA certificates.

Nov 6 10:57:05.598: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=Synergy-CA)

Nov 6 10:57:05.602: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):

Nov 6 10:57:05.602: crypto_certc_pkcs7_extract_certs_and_crls failed

Nov 6 10:57:05.602: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

Nov 6 10:57:05.602: CRYPTO_PKI: Unable to read CA/RA certificates.

Nov 6 10:57:05.602: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.

Nov 6 10:57:05.602: CRYPTO_PKI: transaction GetCACert completed

--------------------------------------

My router config for trustpoint is as following:

crypto pki trustpoint Synergy-CA

enrollment mode ra

enrollment url http://ca_2008.sfs.com:80/certsrv/mscep/mscep.dll

subject-name cn=Authenticator-871 o=SFS

revocation-check none

ocsp url http://ca_2008.sfs.com/ocsp

rsakeypair Synergy

2 REPLIES
Anonymous
N/A

Re: PKI Certificate

The explanation for "PKI-3-GETCARACERT: Failed to receive RA/CA certificates" is that PKI certificate has encountered failure when parsing and processing CA/RA certificates.Recommended Action is to check the status, contact the CA administrator.Also you can check whether the certification is valid or not.

This url explains about certificate authentication in detail:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml#step3

New Member

Re: PKI Certificate

Thank you for the reply, I got through that stage and now stuck with decoding of reply sent by OCSP (MS server 2008). the no-revocation check OID has a zero length value where as NULL is expected by cisco. MS has identified it as a bug but will be releasing its fix in SP2, just wanted to know if cisco has found a way around.

914
Views
0
Helpful
2
Replies