Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
5
Helpful
3
Replies

vpn & certificate server problem

melvynbrown
Level 1
Level 1

‎07-03-2006 01:19 PM - edited ‎02-21-2020 02:30 PM

pixfirewall> en

Password:

pixfirewall# conf t

pixfirewall(config)# hostname pix70

pix70(config)# domain-name acme.com

pix70(config)# crypto key generate rsa label certkeys modulus 512

INFO: The name for the keys will be: certkeys

Keypair generation process begin. Please wait...

pix70(config)# show crypto key mypubkey rsa

Key pair was generated at: 06:08:10 UTC Jul 3 2006

Key name: certkeys

Usage: General Purpose Key

Modulus Size (bits): 512

Key Data:

305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c3e052 2d5e5b0d

88f989ce 03b8502c d1a1d9bb c5a86279 972711fa a0d09fa6 a3636249 14f2cf39

3eb4fd65 d68ab2af 836e749e 7b3f3534 ccc9364c b23017d4 6d020301 0001

pix70(config)# crypto ca trustpoint caseserver

pix70(config-ca-trustpoint)# enrollment url http://192.168.2.2/certsrv/mscep/mscep.dll

pix70(config-ca-trustpoint)# crl optional

pix70(config-ca-trustpoint)# enrollment retry period 1

pix70(config-ca-trustpoint)# enrollment retry count 10

pix70(config-ca-trustpoint)# subject-name CN=pix70.acme.com

pix70(config-ca-trustpoint)# keypair certkeys

pix70(config-ca-trustpoint)# exit

pix70(config)# crypto ca authenticate caseserver

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length =0

pix70(config)#

i am trying to configure a firewall to use certificates for vpn tunnel authentication

these are to be obtained from a microsoft certificate server which is situated off of

an interface named dmz (security-level 50) have installed a certification authority

(stand alone CA) and have configured the CA policy module to always issue the certificate

apart from configuring the pix interfaces the only other config i have done is displayed

above,As you can see it fails to obtain its Certificate could somebody advise me

of anything else i need to do to get this to work.

the pix i am using is a 515 using OS 7.0(4)

i have set up the CA using windows 2000 and windows 2003 and neither seems to work.

any help will be appreciated

regards

melvyn brown

Labels:
0 Helpful
3 Replies 3

hemendoz
Cisco Employee
Cisco Employee

‎07-03-2006 06:49 PM

Hello melvyn,

Are you able to receive a certificate for any other device from this CA server? Is the time correct on the CA server? Did you install the MSCEP add-on on your CA server? Also, try enabling these debugs

debug crypto ca messages

debug crypto ca transactions

Hope that helps!

0 Helpful

melvynbrown
Level 1
Level 1
In response to hemendoz

‎07-04-2006 12:50 PM

the certificate server can dish out certificates for other devices the time is correct but my study guide does not mention that you have to install a MSCEP add-on therefore it is something i have not done or even ever heard of how do you go about doing that?

regards

melvyn brown

0 Helpful

hemendoz
Cisco Employee
Cisco Employee
In response to melvynbrown

‎07-04-2006 05:16 PM

Hello melvyn brown,

Here are 3 Word documents that provide some instructions.

This appears where you can download the add-on for Windows 2003

Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services

http://www.microsoft.com/downloads/details.aspx?familyid=9f306763-d036-41d8-8860-1636411b2d01&displaylang=en#Instructions

If you want the version for W2K, you can find the add-on in the Windows 2000 Server Resource Kit.

Hope this helps! If so, please rate.

Thanks,

hemendoz

Preview file
37 KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents