I'm having trouble getting root certificates that are generated by my Win 2003 CA to work on my 3005 VPN Concentrator.
I am attempting to get Citrix sessions to work through WebVPN sessions that are established with my concentrator. I can connect and actually get logged in to my Citrix farm, but any applications I try and run fail with an SSL error stating that I have not trusted the site. My Citrix farm uses certificates generated by my Microsoft CA server, so the thought was that if I applied the root cert from my MS CA to the concentrator and generated an Identity cert though it also, it would fix the problem.
I have tried using SCEP, but have never gotten it to work, it always fails with "Unknown Error". I have tried manually creating the root cert using the Cisco procedure (http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a00800946f1.shtml), but after I successfully create a certificate, it faily when I try and install it on the concentrator with either a "Invalid key length" or "incomplete chain" error. I did find out that our root certificate on our CA is 4096 bytes...wondering if that is the problem since I can only specify 2048 as the largest size on the concentrator.
I am running v4.7.2 on the concentrator, and my MS CAs (subordinates and root) are all Win 2003.
Thanks for the reply. I ended up abandoning trying to get a cert from my CA...just doesn't seem to want to work. Anyway, I have my original problem fixed anyway, which was the ability to connect to my Citrix farm, that was just a matter of installing the cert from the concentrator as a trusted cert...all worked well after that.
Hi, Jeff - Curious, did you ever get your concentrator to accept the cert from your CA, or did you leave your work around in place? I have exactly the same scenario, only I can't employ the same tactics. Did you ever open a case on it with Cisco?
I did, but it was ultimately closed when we got my concentrator to accept a cert from one of Cisco's Windows 2003 CA servers (at least that's what they told me it was). They threw it back in to Microsoft's court. Now it's four months later and I'm no closer to resolution - heck, maybe I'm farther away! Thanks -
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :