07-03-2006 01:19 PM - edited 02-21-2020 02:30 PM
pixfirewall> en
Password:
pixfirewall# conf t
pixfirewall(config)# hostname pix70
pix70(config)# domain-name acme.com
pix70(config)# crypto key generate rsa label certkeys modulus 512
INFO: The name for the keys will be: certkeys
Keypair generation process begin. Please wait...
pix70(config)# show crypto key mypubkey rsa
Key pair was generated at: 06:08:10 UTC Jul 3 2006
Key name: certkeys
Usage: General Purpose Key
Modulus Size (bits): 512
Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c3e052 2d5e5b0d
88f989ce 03b8502c d1a1d9bb c5a86279 972711fa a0d09fa6 a3636249 14f2cf39
3eb4fd65 d68ab2af 836e749e 7b3f3534 ccc9364c b23017d4 6d020301 0001
pix70(config)# crypto ca trustpoint caseserver
pix70(config-ca-trustpoint)# enrollment url http://192.168.2.2/certsrv/mscep/mscep.dll
pix70(config-ca-trustpoint)# crl optional
pix70(config-ca-trustpoint)# enrollment retry period 1
pix70(config-ca-trustpoint)# enrollment retry count 10
pix70(config-ca-trustpoint)# subject-name CN=pix70.acme.com
pix70(config-ca-trustpoint)# keypair certkeys
pix70(config-ca-trustpoint)# exit
pix70(config)# crypto ca authenticate caseserver
ERROR: receiving Certificate Authority certificate: status = FAIL, cert length =0
pix70(config)#
i am trying to configure a firewall to use certificates for vpn tunnel authentication
these are to be obtained from a microsoft certificate server which is situated off of
an interface named dmz (security-level 50) have installed a certification authority
(stand alone CA) and have configured the CA policy module to always issue the certificate
apart from configuring the pix interfaces the only other config i have done is displayed
above,As you can see it fails to obtain its Certificate could somebody advise me
of anything else i need to do to get this to work.
the pix i am using is a 515 using OS 7.0(4)
i have set up the CA using windows 2000 and windows 2003 and neither seems to work.
any help will be appreciated
regards
melvyn brown
07-03-2006 06:49 PM
Hello melvyn,
Are you able to receive a certificate for any other device from this CA server? Is the time correct on the CA server? Did you install the MSCEP add-on on your CA server? Also, try enabling these debugs
debug crypto ca messages
debug crypto ca transactions
Hope that helps!
07-04-2006 12:50 PM
the certificate server can dish out certificates for other devices the time is correct but my study guide does not mention that you have to install a MSCEP add-on therefore it is something i have not done or even ever heard of how do you go about doing that?
regards
melvyn brown
07-04-2006 05:16 PM
Hello melvyn brown,
Here are 3 Word documents that provide some instructions.
This appears where you can download the add-on for Windows 2003
Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services
If you want the version for W2K, you can find the add-on in the Windows 2000 Server Resource Kit.
Hope this helps! If so, please rate.
Thanks,
hemendoz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide