11-27-2010 09:03 AM
Hi all,
we have installed new MS root CA and issuing CA (Windows Server 2008 R2 Enterprise) in test environment. When I tried to get CA certificate from some Cisco devices (router 1800, ASA 5510, 5520), it failed. It is the same situation with "enrollment url" or "enrollment terminal" command:
Router:
PKI-test(config)#crypto ca authenticate NIS_CA
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
PKI-test(config)#
Nov 23 16:17:01.764: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=NIS_CA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: xxxxxx
Nov 23 16:17:01.768: CRYPTO_PKI: locked trustpoint NIS_CA, refcount is 1
Nov 23 16:17:01.768: CRYPTO_PKI: http connection opened
Nov 23 16:17:01.768: CRYPTO_PKI: Sending HTTP message
Nov 23 16:17:01.768: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: xxxxxxx
Nov 23 16:17:01.772: CRYPTO_PKI: unlocked trustpoint NIS_CA, refcount is 0
Nov 23 16:17:01.772: CRYPTO_PKI: locked trustpoint NIS_CA, refcount is 1
Nov 23 16:17:01.776: CRYPTO_PKI: unlocked trustpoint NIS_CA, refcount is 0
Nov 23 16:17:01.776: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 5810
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 23 Nov 2010 16:17:01 GMT
Connection: close
Content-Type indicates we have received CA and RA certificates.
Nov 23 16:17:01.776: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=NIS_CA)
Nov 23 16:17:01.788: The PKCS #7 message contains 4 certificates.
Nov 23 16:17:01.792: CRYPTO_PKI: status = 0x712(E_ATTRIBUTE_VALUE_LEN : attribute value length is invalid (%n0)): crypto_pkcs7_extract_ca_cert returned
Nov 23 16:17:01.792: CRYPTO_PKI: Unable to read CA/RA certificates.
Nov 23 16:17:01.792: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Nov 23 16:17:01.792: CRYPTO_PKI: transaction GetCACert completed
ASA:
ASA(config)# crypto ca authenticate QLABCA
CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Content-Length: 5810
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 27 Nov 2010 16:57:43 GMT
Connection: close
Content-Type indicates we have received CA and RA certificates.
CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=QLABCA)
crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
crypto_certc_pkcs7_extract_certs_and_crls failed
CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0
Is it possible that Cisco devices don't support CA root public key length 4096 and subordinate CA 2048?
Or anybody have another idea ?
Thanks in advance ...
Solved! Go to Solution.
11-30-2010 07:03 AM
Yes, this could be the issue. ASA doesn't support SHA2 as of yet.
--Jason
11-27-2010 02:41 PM
IOS router does support CA root public key length 4096 and subordinate CA 2048 in the later 12.4T IOS version.
Which IOS are you currently running?
11-28-2010 02:32 AM
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Cisco Adaptive Security Appliance Software Version 8.2(3)
11-28-2010 04:04 AM
Have you tried it manually instead of automatic enrollment?
11-28-2010 04:22 AM
Yes, I tried with "enrollment terminal" on ASA but I got the same error, status=FAIL. I think I didn't try manual enrollment on router, but I will as soon as possible.
11-28-2010 06:33 AM
Same situation/error when I manual tried to paste CA certificates chain.
Unfortunately I couldn’t get any debug message with manual authentication.
PKI-test(config)#crypto ca authenticate NIS_CA
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIMXgYJKoZIhvcNAQcCoIIMTzCCDEsCAQExADALBgkqhkiG9w0BBwGgggwzMIIG
ojCCBIqgAwIBAgIKYUsTugAAAAAAAjANBgkqhkiG9w0BAQs
.....
+aK+bNl2yX9KBldhBd+vChcnUqabSRnfWfuo/6JXjm+67JY3xn0CwHwoId520D5P
ibN/+oqT68Vm3IbMsfQuQMn7YevCyPQyxeIj6f3nRLg+JNeqylKNVgAdL7tOXEPZ
MQA=
-----END CERTIFICATE-----
quit
% Error in saving certificate: status = FAIL
11-30-2010 12:29 AM
Could the Cisco devices have a problem because our test CA certificate use signature algorithm sha256RSA?
11-30-2010 07:03 AM
Yes, this could be the issue. ASA doesn't support SHA2 as of yet.
--Jason
11-30-2010 11:39 AM
Thank you both, Jennifer and Jason, I think we found the cause of error.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: