Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

Could not Configure PKI on Pix Device


I am trying to enable pki on a pix6.3 device , but could not do this because of some failure

Here is the error message that the system reports when I given ca authenticate.. command

CRYPTO_PKI: socket connect error.

CRYPTO_PKI: status = 0: failed to open http connection

CRYPTO_PKI: status = 65535: failed to send out the pki message

CRYPTO_PKI: transaction GetCACert completed

This is the cli that I am trying to configure

ca generate rsa key 512

ca identity cisco x.x.x.x:/certsrv/mscep/mscep.dll

ca configure cisco ca 2 11

ca authenticate cisco xxxxx

Can I know if someone know what is the actual problem and any solution for it?



New Member

Re: Could not Configure PKI on Pix Device

Ok, I'll take a shot at this..

The error says your PIX couldn't connect to the CA server... Make sure you're not blocking TCP traffic between the PIX & the CA. If traffic isn't blocked, is the CA setup?...

>ca identity cisco x.x.x.x:/certsrv/mscep/mscep.dll

Looks like this a Microsoft CA server, is that right? If so, have you already installed the appropriate "Certificate Services Add-on" for the OS?

For 2000 Server, this would be: "Certificate Services Add-on for Cisco Enrollment Protocol," from the 2000 Server Resource Kit.

For 2003 Server, it would be: "Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services," from the 2003 Resource Kit.

(See the Resource Kit help docs, search for "CEP" or "Cisco").

If this is an MS CA server, you need to include a challenge password. To get the server to issue a challenge password, browse to: http://yourCA/certsrv/mscep/mscep.dll

Then run:

ca enroll [CA_IP_address]

("" is the challenge string that the CA issued)

>ca configure cisco ca 2 11

You could also try changing this so the PIX will accept certificates even if the CRL isn't accessible:

ca configure cisco ca 2 11 crloptional

And of course, make sure your clock is accurately set, etc. If you haven't already, see the following docs for info on configuring the PIX for CA's:

Configuring IPSec and Certification Authorities:

IPSec Between PIX & Cisco VPN Client Using Smartcard Certificates:


Cisco Employee

Re: Could not Configure PKI on Pix Device