Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn & certificate server problem

pixfirewall> en


pixfirewall# conf t

pixfirewall(config)# hostname pix70

pix70(config)# domain-name

pix70(config)# crypto key generate rsa label certkeys modulus 512

INFO: The name for the keys will be: certkeys

Keypair generation process begin. Please wait...

pix70(config)# show crypto key mypubkey rsa

Key pair was generated at: 06:08:10 UTC Jul 3 2006

Key name: certkeys

Usage: General Purpose Key

Modulus Size (bits): 512

Key Data:

305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c3e052 2d5e5b0d

88f989ce 03b8502c d1a1d9bb c5a86279 972711fa a0d09fa6 a3636249 14f2cf39

3eb4fd65 d68ab2af 836e749e 7b3f3534 ccc9364c b23017d4 6d020301 0001

pix70(config)# crypto ca trustpoint caseserver

pix70(config-ca-trustpoint)# enrollment url

pix70(config-ca-trustpoint)# crl optional

pix70(config-ca-trustpoint)# enrollment retry period 1

pix70(config-ca-trustpoint)# enrollment retry count 10

pix70(config-ca-trustpoint)# subject-name

pix70(config-ca-trustpoint)# keypair certkeys

pix70(config-ca-trustpoint)# exit

pix70(config)# crypto ca authenticate caseserver

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length =0


i am trying to configure a firewall to use certificates for vpn tunnel authentication

these are to be obtained from a microsoft certificate server which is situated off of

an interface named dmz (security-level 50) have installed a certification authority

(stand alone CA) and have configured the CA policy module to always issue the certificate

apart from configuring the pix interfaces the only other config i have done is displayed

above,As you can see it fails to obtain its Certificate could somebody advise me

of anything else i need to do to get this to work.

the pix i am using is a 515 using OS 7.0(4)

i have set up the CA using windows 2000 and windows 2003 and neither seems to work.

any help will be appreciated


melvyn brown

Cisco Employee

Re: vpn & certificate server problem

Hello melvyn,

Are you able to receive a certificate for any other device from this CA server? Is the time correct on the CA server? Did you install the MSCEP add-on on your CA server? Also, try enabling these debugs

debug crypto ca messages

debug crypto ca transactions

Hope that helps!

New Member

Re: vpn & certificate server problem

the certificate server can dish out certificates for other devices the time is correct but my study guide does not mention that you have to install a MSCEP add-on therefore it is something i have not done or even ever heard of how do you go about doing that?


melvyn brown

Cisco Employee

Re: vpn & certificate server problem

Hello melvyn brown,

Here are 3 Word documents that provide some instructions.

This appears where you can download the add-on for Windows 2003

Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services

If you want the version for W2K, you can find the add-on in the Windows 2000 Server Resource Kit.

Hope this helps! If so, please rate.