Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

3005 Concentrator and MS CA Certificates

I'm having trouble getting root certificates that are generated by my Win 2003 CA to work on my 3005 VPN Concentrator.

I am attempting to get Citrix sessions to work through WebVPN sessions that are established with my concentrator. I can connect and actually get logged in to my Citrix farm, but any applications I try and run fail with an SSL error stating that I have not trusted the site. My Citrix farm uses certificates generated by my Microsoft CA server, so the thought was that if I applied the root cert from my MS CA to the concentrator and generated an Identity cert though it also, it would fix the problem.

I have tried using SCEP, but have never gotten it to work, it always fails with "Unknown Error". I have tried manually creating the root cert using the Cisco procedure (, but after I successfully create a certificate, it faily when I try and install it on the concentrator with either a "Invalid key length" or "incomplete chain" error. I did find out that our root certificate on our CA is 4096 bytes...wondering if that is the problem since I can only specify 2048 as the largest size on the concentrator.

I am running v4.7.2 on the concentrator, and my MS CAs (subordinates and root) are all Win 2003.

New Member

Re: 3005 Concentrator and MS CA Certificates

Requesting Certificates from a Certificate Authority

You can also request a user or root certificate from a CA.

If you request a root certificate, the server script obtains a root certificate from the CA.

If you request a user certificate, the server script obtains both a root and a user certificate from the CA.

To request a root or user certificate from a CAFor root certificates, the Request Root Certificate dialog box appears.

For user certificates, the Request User Certificate dialog box appears.

Step 2 Enter the IP address and URL of the server script of the CA.

User certificates require you to enter both the root certificate request information and the user certificate request information.


Step 1 Click the Request button on the Certificates tab of the VPN Client window

New Member

Re: 3005 Concentrator and MS CA Certificates

Thanks for the reply. I ended up abandoning trying to get a cert from my CA...just doesn't seem to want to work. Anyway, I have my original problem fixed anyway, which was the ability to connect to my Citrix farm, that was just a matter of installing the cert from the concentrator as a trusted cert...all worked well after that.

Thanks again..Jeff

New Member

Re: 3005 Concentrator and MS CA Certificates

Hi, Jeff - Curious, did you ever get your concentrator to accept the cert from your CA, or did you leave your work around in place? I have exactly the same scenario, only I can't employ the same tactics. Did you ever open a case on it with Cisco?

I did, but it was ultimately closed when we got my concentrator to accept a cert from one of Cisco's Windows 2003 CA servers (at least that's what they told me it was). They threw it back in to Microsoft's court. Now it's four months later and I'm no closer to resolution - heck, maybe I'm farther away! Thanks -


CreatePlease to create content