Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate Authority certificate: status = FAIL, cert length = 0

Hi all,

we have installed new MS root CA and issuing CA (Windows Server 2008 R2 Enterprise) in test environment. When I tried to get CA certificate from some Cisco devices (router 1800, ASA 5510, 5520), it failed. It is the same situation with "enrollment url" or "enrollment terminal" command:

Router:

PKI-test(config)#crypto ca authenticate NIS_CA
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

PKI-test(config)#
Nov 23 16:17:01.764: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=NIS_CA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: xxxxxx

Nov 23 16:17:01.768: CRYPTO_PKI: locked trustpoint NIS_CA, refcount is 1
Nov 23 16:17:01.768: CRYPTO_PKI: http connection opened
Nov 23 16:17:01.768: CRYPTO_PKI: Sending HTTP message

Nov 23 16:17:01.768: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: xxxxxxx


Nov 23 16:17:01.772: CRYPTO_PKI: unlocked trustpoint NIS_CA, refcount is 0
Nov 23 16:17:01.772: CRYPTO_PKI: locked trustpoint NIS_CA, refcount is 1
Nov 23 16:17:01.776: CRYPTO_PKI: unlocked trustpoint NIS_CA, refcount is 0
Nov 23 16:17:01.776: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 5810
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 23 Nov 2010 16:17:01 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

Nov 23 16:17:01.776: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=NIS_CA)

Nov 23 16:17:01.788: The PKCS #7 message contains 4 certificates.
Nov 23 16:17:01.792: CRYPTO_PKI: status = 0x712(E_ATTRIBUTE_VALUE_LEN : attribute value length is invalid (%n0)): crypto_pkcs7_extract_ca_cert returned
Nov 23 16:17:01.792: CRYPTO_PKI: Unable to read CA/RA certificates.
Nov 23 16:17:01.792: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Nov 23 16:17:01.792: CRYPTO_PKI: transaction GetCACert completed

ASA:

ASA(config)# crypto ca authenticate QLABCA


CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Content-Length: 5810
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 27 Nov 2010 16:57:43 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=QLABCA)

crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
crypto_certc_pkcs7_extract_certs_and_crls failed
CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

Is it possible that Cisco devices don't support CA root public key length 4096 and subordinate CA 2048?

Or anybody have another idea ?

Thanks in advance ...

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Certificate Authority certificate: status = FAIL, cert lengt

Yes, this could be the issue.  ASA doesn't support SHA2 as of yet.

--Jason

8 REPLIES
Cisco Employee

Re: Certificate Authority certificate: status = FAIL, cert lengt

IOS router does support CA root public key length 4096 and subordinate CA 2048 in the later 12.4T IOS version.

Which IOS are you currently running?

New Member

Re: Certificate Authority certificate: status = FAIL, cert lengt

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)

Cisco Adaptive Security Appliance Software Version 8.2(3)

Cisco Employee

Re: Certificate Authority certificate: status = FAIL, cert lengt

Have you tried it manually instead of automatic enrollment?

New Member

Re: Certificate Authority certificate: status = FAIL, cert lengt

Yes, I tried with "enrollment terminal" on ASA but I got the same error, status=FAIL. I think I didn't try manual enrollment on router, but I will as soon as possible.

New Member

Re: Certificate Authority certificate: status = FAIL, cert lengt

Same situation/error when I manual tried to paste CA certificates chain.

Unfortunately I couldn’t get any debug message with manual authentication.

PKI-test(config)#crypto ca authenticate NIS_CA

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIMXgYJKoZIhvcNAQcCoIIMTzCCDEsCAQExADALBgkqhkiG9w0BBwGgggwzMIIG
ojCCBIqgAwIBAgIKYUsTugAAAAAAAjANBgkqhkiG9w0BAQs
.....
+aK+bNl2yX9KBldhBd+vChcnUqabSRnfWfuo/6JXjm+67JY3xn0CwHwoId520D5P
ibN/+oqT68Vm3IbMsfQuQMn7YevCyPQyxeIj6f3nRLg+JNeqylKNVgAdL7tOXEPZ
MQA=
-----END CERTIFICATE-----
quit
% Error in saving certificate: status = FAIL


New Member

Re: Certificate Authority certificate: status = FAIL, cert lengt

Could the Cisco devices have a problem because our test CA certificate use signature algorithm sha256RSA?

Cisco Employee

Re: Certificate Authority certificate: status = FAIL, cert lengt

Yes, this could be the issue.  ASA doesn't support SHA2 as of yet.

--Jason

New Member

Re: Certificate Authority certificate: status = FAIL, cert lengt

Thank you both, Jennifer and Jason, I think we found the cause of error.

7514
Views
0
Helpful
8
Replies
CreatePlease to create content