Solved: Certificate Authority certificate: status = FAIL, cert length = 0

tasha_m73 · ‎11-27-2010

Hi all,

we have installed new MS root CA and issuing CA (Windows Server 2008 R2 Enterprise) in test environment. When I tried to get CA certificate from some Cisco devices (router 1800, ASA 5510, 5520), it failed. It is the same situation with "enrollment url" or "enrollment terminal" command:

Router:

PKI-test(config)#crypto ca authenticate NIS_CA
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

PKI-test(config)#
Nov 23 16:17:01.764: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=NIS_CA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: xxxxxx

Nov 23 16:17:01.768: CRYPTO_PKI: locked trustpoint NIS_CA, refcount is 1
Nov 23 16:17:01.768: CRYPTO_PKI: http connection opened
Nov 23 16:17:01.768: CRYPTO_PKI: Sending HTTP message

Nov 23 16:17:01.768: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: xxxxxxx

Nov 23 16:17:01.772: CRYPTO_PKI: unlocked trustpoint NIS_CA, refcount is 0
Nov 23 16:17:01.772: CRYPTO_PKI: locked trustpoint NIS_CA, refcount is 1
Nov 23 16:17:01.776: CRYPTO_PKI: unlocked trustpoint NIS_CA, refcount is 0
Nov 23 16:17:01.776: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 5810
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 23 Nov 2010 16:17:01 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

Nov 23 16:17:01.776: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=NIS_CA)

Nov 23 16:17:01.788: The PKCS #7 message contains 4 certificates.
Nov 23 16:17:01.792: CRYPTO_PKI: status = 0x712(E_ATTRIBUTE_VALUE_LEN : attribute value length is invalid (%n0)): crypto_pkcs7_extract_ca_cert returned
Nov 23 16:17:01.792: CRYPTO_PKI: Unable to read CA/RA certificates.
Nov 23 16:17:01.792: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Nov 23 16:17:01.792: CRYPTO_PKI: transaction GetCACert completed

ASA:

ASA(config)# crypto ca authenticate QLABCA

CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Content-Length: 5810
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 27 Nov 2010 16:57:43 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=QLABCA)

crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
crypto_certc_pkcs7_extract_certs_and_crls failed
CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

Is it possible that Cisco devices don't support CA root public key length 4096 and subordinate CA 2048?

Or anybody have another idea ?

Thanks in advance ...

Jason Gervia · ‎11-30-2010

Yes, this could be the issue. ASA doesn't support SHA2 as of yet.

--Jason

View solution in original post

Jennifer Halim · ‎11-27-2010

IOS router does support CA root public key length 4096 and subordinate CA 2048 in the later 12.4T IOS version.

Which IOS are you currently running?

tasha_m73 · ‎11-28-2010

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)

Cisco Adaptive Security Appliance Software Version 8.2(3)

Jennifer Halim · ‎11-28-2010

Have you tried it manually instead of automatic enrollment?

tasha_m73 · ‎11-28-2010

Yes, I tried with "enrollment terminal" on ASA but I got the same error, status=FAIL. I think I didn't try manual enrollment on router, but I will as soon as possible.

tasha_m73 · ‎11-28-2010

Same situation/error when I manual tried to paste CA certificates chain.

Unfortunately I couldn’t get any debug message with manual authentication.

PKI-test(config)#crypto ca authenticate NIS_CA

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIMXgYJKoZIhvcNAQcCoIIMTzCCDEsCAQExADALBgkqhkiG9w0BBwGgggwzMIIG
ojCCBIqgAwIBAgIKYUsTugAAAAAAAjANBgkqhkiG9w0BAQs
.....
+aK+bNl2yX9KBldhBd+vChcnUqabSRnfWfuo/6JXjm+67JY3xn0CwHwoId520D5P
ibN/+oqT68Vm3IbMsfQuQMn7YevCyPQyxeIj6f3nRLg+JNeqylKNVgAdL7tOXEPZ
MQA=
-----END CERTIFICATE-----
quit
% Error in saving certificate: status = FAIL

tasha_m73 · ‎11-30-2010

Could the Cisco devices have a problem because our test CA certificate use signature algorithm sha256RSA?

Jason Gervia · ‎11-30-2010

Yes, this could be the issue. ASA doesn't support SHA2 as of yet.

--Jason

tasha_m73 · ‎11-30-2010

Thank you both, Jennifer and Jason, I think we found the cause of error.