SCEP protocol and PIXOS 7.0.

johnleeee · ‎10-27-2006

Hi all,

I need urgent help related to enrollment

of certificate from our PIX. We have Microsoft CA with SCEP installed on it and everything worked fine until now.

We cannot now do enrollment with our CA. I see that request was denied with CA when I manage PIX through ASDM.

From CLI of PIX I see that request was send but in CA I dont see pending request.

Pls. could someone help me.

BR.

jl

sbilgi · ‎11-02-2006

Which PIX FW version are you using? The 7.0 code is designed for higher model of PIX which unfortunately does not include the PIX 501. PIX 501 can only obtain the certificate thru SCEP.

you can create a new trustpoint and then set it for self-signed during enrollment.

Then when you enroll your certificate, it will generate a self-signed cert:

pixfirewall(config)# crypto ca trustpoint TEST

pixfirewall(config-ca-trustpoint)# fqdn pixfirewall.cisco.com

pixfirewall(config-ca-trustpoint)# enrollment self

pixfirewall(config-ca-trustpoint)# exit

pixfirewall(config)# crypto ca enroll TEST

% The fully-qualified domain name in the certificate will be: pixfirewall.cisco.com

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes

pixfirewall(config)#

Try these links for more info:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247b.html

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/excas.htm

johnleeee · ‎11-03-2006

Hi,

thanks a lot for advice. Its very helpful for me. Ill try this. Links are very helpful.

We are using PIXOS 7.2.4.

Is it possible to do this on router(2600,3600)?

Thanks a lot.

BR

jl