Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems with PIX 501 and MS Cert Server

Hi All,

I have two problems with my PIX 501:

1. Enrolling works well. The pix has a certificate and uses it with VPN/SSL connections. But after a reload, the pix certificate is lost and it has regenerated a self signed certificate again!

Yes, I did write mem and ca save all!

2. On a ca crl request <name>, I get the following debug:

Crypto CA thread wakes up!

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: transaction GetCRL completed

Crypto CA thread sleeps!

CI thread wakes up!

And the CRL is empty.

Does somebody has an idea?

Bert Koelewijn

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Problems with PIX 501 and MS Cert Server

Not sure about 1, but 2 is usually caused by the CDP (CRL Distribution Point, basically the location of where the PIX can download the CRL from) listed in the CA cert is in a format the PIX doesn't understand, usually an LDAP URL.

Check the following please:

Open the CA admin tool (Certification Authority) then

1) right click on the CA name and choose "Properties"

2) select the tab "Policy Module"

3) hit the button "Configure"

4) select the tab "X.509 extensions"

>From there, he can view the list of "CRL Distribution Points".

Deactivate all that is not HTTP.

You'll need to reinstall the certs into the PIX I believe, but then it should be able to download the CRL via HTTP instead of LDAP.

3 REPLIES
Cisco Employee

Re: Problems with PIX 501 and MS Cert Server

Not sure about 1, but 2 is usually caused by the CDP (CRL Distribution Point, basically the location of where the PIX can download the CRL from) listed in the CA cert is in a format the PIX doesn't understand, usually an LDAP URL.

Check the following please:

Open the CA admin tool (Certification Authority) then

1) right click on the CA name and choose "Properties"

2) select the tab "Policy Module"

3) hit the button "Configure"

4) select the tab "X.509 extensions"

>From there, he can view the list of "CRL Distribution Points".

Deactivate all that is not HTTP.

You'll need to reinstall the certs into the PIX I believe, but then it should be able to download the CRL via HTTP instead of LDAP.

New Member

Re: Problems with PIX 501 and MS Cert Server

> in a format the PIX doesn't understand

I eliminated the space in the name of my ca certificate, to make the URL cleaner, without the '%20': abc%20def.crl -> abcdef.crl. That solved problem 1!!

I still have no clue about problem 2, even with nice URL's and only HTTP (as you mentioned), it gives the same debug.

Thanks for your previous hint! It led me to the solution of problem 1. Does somebody have an idea about problem 2?

Bert Koelewijn

New Member

Re: Problems with PIX 501 and MS Cert Server

Solved problem 2!

Not only by leaving the LDAP address off the certificate, but by leaving off the LDAP ipaddress in the 'ca identity' rule too.

Is Cisco aware of this issue? Will they make things more easy in next releases of the PIX OS?

Thanks!

Bert Koelewijn

109
Views
0
Helpful
3
Replies