06-30-2014 10:12 PM
I've got simple lab for testing PKI:
198.0.0.1 - server
ip http server ip http port 8080 ntp master 1 crypto key generate rsa general-keys label MAIN-CA modulus 1024 exportable crypto pki server MAIN-CA database url nvram: issuer-name CN=MAIN-CA.lab.local L=BLG C=RU lifetime ca-certificate 365 lifetime certificate 365 lifetime crl 24 cdp-url http://198.0.0.1:8080/main-ca.cdp.main-ca.crl no shutdown
198.0.0.2 and 3 - clients (I want encrypted tunnel between them)
ntp server 198.0.0.1 crypto key generate rsa general-keys label CLIENT-CA modulus 1024 crypto ca trustpoint CLIENT-CA enrollment url http://198.0.0.1:8080 revocation-check none rsakeypair CLIENT-CA crypto ca authenticate CLIENT-CA crypto ca enroll CLIENT-CA crypto isakmp policy 1 encr aes crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile CRYPTO-PROFILE set transform-set AES256-SHA interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 198.0.0.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile CRYPTO-PROFILE
Then I do
crypto pki server MAIN-CA grant 1 crypto pki server MAIN-CA grant 2
And everything if fine when clients are like this:
crypto ca trustpoint CLIENT-CA revocation-check none
But when I do
revocation-check crl
I got messages (debug crypto pki transactions):
Jul 1 14:33:40.280: CRYPTO_PKI: Trust-Point CLIENT-CA picked up Jul 1 14:33:40.280: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 1 14:33:40.280: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 1 14:33:40.280: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 1 14:33:40.468: CRYPTO_PKI: Found a issuer match Jul 1 14:33:40.480: CRYPTO_PKI: Retreive CRL using HTTP URI Jul 1 14:33:40.480: CRYPTO_PKI: status = 0: poll CRL Jul 1 14:33:40.484: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 1 14:33:40.484: CRYPTO_PKI: can not resolve server name/IP address Jul 1 14:33:40.484: CRYPTO_PKI: Using unresolved IP Address 198.0.0.1 Jul 1 14:33:40.512: CRYPTO_PKI: http connection opened Jul 1 14:33:40.516: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 1 14:33:40.516: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 1 14:33:40.584: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 1 14:33:40.584: CRYPTO_PKI: HTTP response header: HTTP/1.1 404 Not Found Date: Tue, 01 Jul 2014 14:33:40 GMT Server: cisco-IOS Accept-Ranges: none Jul 1 14:33:40.588: E ../cert-c/source/crlobj.c(384) : Error #705h Jul 1 14:33:40.592: CRYPTO_PKI: status = 1797: failed to set crl ber Jul 1 14:33:40.592: CRYPTO_PKI: transaction Unknown completed Jul 1 14:33:40.592: CRYPTO_PKI: Poll CRL callback Jul 1 14:33:40.592: CRYPTO_PKI: Blocking chain verification callback received status: 105 Jul 1 14:33:40.596: CRYPTO_PKI: Certificate not validated Jul 1 14:33:40.600: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 198.0.0.2 is bad: certificate invalid
So... what's wrong?
07-01-2014 04:28 AM
Strange...are you running this in a lab with physical equipment or is this in a GNS3 virtual lab? If it is a virtual lab then I suggest copying out your config and then rebuild your setup and see if that helps.
Other than that, your config looks fine.
--
Please remember to select a correct answer and rate helpful posts
07-03-2014 10:41 AM
Didn't help. It was GNS, then I copied it on physical devices and nothing changed. I'm still getting 404. Also I checked
show crypto pki crls
and I'm getting blank, and:
R2(config)#crypto pki crl request CLIENT-CA Jul 3 17:09:50.059: %PKI-4-CRLHTTPFETCHFAIL: CRL Request for trustpoint "CLIENT-CA" returned 404 Not Found
It seems I'm doing something wrong...
07-03-2014 11:10 AM
do you get any output from the following command on the CA server?
crypto pki server ese-ios-ca info crl
--
Please remember to select a correct answer and rate helpful posts
07-03-2014 01:30 PM
#crypto pki server MAIN-CA info crl Certificate Revocation List: Issuer: cn=MAIN-CA.lab.local L\=BLG C\=RU This Update: 06:17:02 UTC Jul 4 2014 Next Update: 07:17:02 UTC Jul 4 2014 Number of CRL entries: 0 CRL size: 238 bytes
And when I revoked one of the granted certificates, I got:
#crypto pki server MAIN-CA info crl Certificate Revocation List: Issuer: cn=MAIN-CA.lab.local L\=BLG C\=RU This Update: 06:23:41 UTC Jul 4 2014 Next Update: 07:23:41 UTC Jul 4 2014 Number of CRL entries: 1 CRL size: 261 bytes Revoked Certificates: Serial Number: 0x01 Revocation Date: 06:23:41 UTC Jul 4 2014
So revokation list is fine. But noone can get it.
07-05-2014 01:23 AM
hmm...odd.
I would need to lab your setup to see what results I get. Will try to do that tonight.
--
Please remember to select a correct answer and rate helpful posts
07-06-2014 02:26 AM
Ok, found it. Kind of typo. Don't remember where I get it but this part of client's config wrong:
crypto ca trustpoint CLIENT-CA enrollment url http://198.0.0.1:8080 revocation-check none rsakeypair CLIENT-CA crypto ca authenticate CLIENT-CA crypto ca enroll CLIENT-CA
it should be like this:
crypto pki trustpoint CLIENT-CA enrollment url http://198.0.0.1:8080 revocation-check none rsakeypair CLIENT-CA crypto pki authenticate CLIENT-CA crypto pki enroll CLIENT-CA
Anyway, thanks for helping.
07-08-2014 05:27 AM
Nice! glad you got it sorted
07-08-2014 10:44 AM
Nope. That wasn't the cause.
Now it works in both variants - with "crypto pki" and "crypto ca". Don't know why. It... just started to work. I did the same steps and get HTTP 200 OK.
So... I'll post if I find out something new.
07-11-2014 02:15 AM
I've finally got the exact steps for my error to appear. All configs are the same. So I'm creating pki server and trustpoint on client. Then I authenticate and enroll. At this moment I can see client's request on server:
#crypto pki server MAIN-CA info requests Enrollment Request Database: Subordinate CA certificate requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- RA certificate requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- Router certificates requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- 1 pending 4B8AF9BDD3E6D3ED59AED4CF0C8100CB hostname=client.lab.local
And also at this moment I can successfully request CRL on client:
#crypto pki crl request CLIENT-CA
Then I do
#crypto pki server MAIN-CA grant 1
I still can request CRL. But when I get this debug on client (debug crypto pki transactions), I'm start getting 404 errors:
Jul 11 18:54:00.933: CRYPTO_PKI: resend GetCertInitial, 2 Jul 11 18:54:00.933: CRYPTO_PKI: All sockets are closed for trustpoint CLIENT-CA. Jul 11 18:54:00.933: CRYPTO_PKI: resend GetCertInitial for session: 0 Jul 11 18:54:00.937: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 11 18:54:00.937: CRYPTO_PKI: can not resolve server name/IP address Jul 11 18:54:00.937: CRYPTO_PKI: Using unresolved IP Address 198.0.0.1 Jul 11 18:54:00.997: CRYPTO_PKI: http connection opened Jul 11 18:54:02.001: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 11 18:54:02.081: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 11 18:54:02.273: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 11 18:54:02.273: CRYPTO_PKI: received msg of 1680 bytes Jul 11 18:54:02.277: CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OK Date: Fri, 11 Jul 2014 18:54:02 GMT Server: cisco-IOS Content-Type: application/x-pki-message Expires: Fri, 11 Jul 2014 18:54:02 GMT Last-Modified: Fri, 11 Jul 2014 18:54:02 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Accept-Ranges: none Jul 11 18:54:02.337: The PKCS #7 message has 1 verified signers. Jul 11 18:54:02.337: signing cert: issuer=cn=MAIN-CA.lab.local L\=BLG C\=RU1 Jul 11 18:54:02.337: Signed Attributes: Jul 11 18:54:02.337: CRYPTO_PKI: status = 100: certificate is granted Jul 11 18:54:02.389: The PKCS #7 message contains 1 certs and 0 crls. Jul 11 18:54:02.401: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment Jul 11 18:54:02.401: Newly-issued Router Cert: issuer=cn=MAIN-CA.lab.local L\=BLG C\=RU serial=2 Jul 11 18:54:02.401: start date: 18:53:42 UTC Jul 11 2014 Jul 11 18:54:02.401: end date: 18:50:24 UTC Jul 11 2015 Jul 11 18:54:02.401: Router date: 18:54:02 UTC Jul 11 2014 Jul 11 18:54:02.401: Received router cert from CA Jul 11 18:54:02.401: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment Jul 11 18:54:02.409: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA. Jul 11 18:54:02.409: %PKI-6-CERTRET: Certificate received from Certificate Authority Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA. Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA. Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.
So as soon as the enrollment is complete and certificate if recieved I can no longer request CRL.
And I'm still need help with this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: