07-03-2006 01:19 PM - edited 02-21-2020 02:30 PM
pixfirewall> en
Password:
pixfirewall# conf t
pixfirewall(config)# hostname pix70
pix70(config)# domain-name acme.com
pix70(config)# crypto key generate rsa label certkeys modulus 512
INFO: The name for the keys will be: certkeys
Keypair generation process begin. Please wait...
pix70(config)# show crypto key mypubkey rsa
Key pair was generated at: 06:08:10 UTC Jul 3 2006
Key name: certkeys
Usage: General Purpose Key
Modulus Size (bits): 512
Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c3e052 2d5e5b0d
88f989ce 03b8502c d1a1d9bb c5a86279 972711fa a0d09fa6 a3636249 14f2cf39
3eb4fd65 d68ab2af 836e749e 7b3f3534 ccc9364c b23017d4 6d020301 0001
pix70(config)# crypto ca trustpoint caseserver
pix70(config-ca-trustpoint)# enrollment url http://192.168.2.2/certsrv/mscep/mscep.dll
pix70(config-ca-trustpoint)# crl optional
pix70(config-ca-trustpoint)# enrollment retry period 1
pix70(config-ca-trustpoint)# enrollment retry count 10
pix70(config-ca-trustpoint)# subject-name CN=pix70.acme.com
pix70(config-ca-trustpoint)# keypair certkeys
pix70(config-ca-trustpoint)# exit
pix70(config)# crypto ca authenticate caseserver
ERROR: receiving Certificate Authority certificate: status = FAIL, cert length =0
pix70(config)#
i am trying to configure a firewall to use certificates for vpn tunnel authentication
these are to be obtained from a microsoft certificate server which is situated off of
an interface named dmz (security-level 50) have installed a certification authority
(stand alone CA) and have configured the CA policy module to always issue the certificate
apart from configuring the pix interfaces the only other config i have done is displayed
above,As you can see it fails to obtain its Certificate could somebody advise me
of anything else i need to do to get this to work.
the pix i am using is a 515 using OS 7.0(4)
i have set up the CA using windows 2000 and windows 2003 and neither seems to work.
any help will be appreciated
regards
melvyn brown
07-03-2006 06:49 PM
Hello melvyn,
Are you able to receive a certificate for any other device from this CA server? Is the time correct on the CA server? Did you install the MSCEP add-on on your CA server? Also, try enabling these debugs
debug crypto ca messages
debug crypto ca transactions
Hope that helps!
07-04-2006 12:50 PM
the certificate server can dish out certificates for other devices the time is correct but my study guide does not mention that you have to install a MSCEP add-on therefore it is something i have not done or even ever heard of how do you go about doing that?
regards
melvyn brown
07-04-2006 05:16 PM
Hello melvyn brown,
Here are 3 Word documents that provide some instructions.
This appears where you can download the add-on for Windows 2003
Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services
If you want the version for W2K, you can find the add-on in the Windows 2000 Server Resource Kit.
Hope this helps! If so, please rate.
Thanks,
hemendoz
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: