10-12-2005 05:06 AM
i am having trouble trying to request certificates on a pix 515 (Cisco PIX Firewall Version 6.3(3))
The VPN and certificate side was working before but started getting problems due to the certificate becoming invalid.To cut the long story short we had to reconfigure the pix wich has solved some issues but am not getting any where when trying to do a authenticate as the folllowing error comes up: % No CA root cert exists. Use "ca authenticate".
no matter how many times i do a CA authenticate, this error still appears.
the CA identity is ca identity my-ca CA 10.10.1.10://certsrv/mscep/mscep.dll and if i put in 10.10.1.10//certsrv/mscep/mscep.dll in a url , i end up with the scep welcome page with the CA's certificate fingerprint.
Example of steps taken with debug crypto on.
pix515(config)# ca authenticate my-ca
pix515(config)# ca enroll my-ca 123456
% No CA root cert exists. Use "ca authenticate"
pix515(config)# debug crypto ca
pix515(config)# ca authenticate my-ca
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status
CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking certificate using self signed certificate
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying cert in message by issuer self-signed cert
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status
CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking certificate using self signed certificate
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying cert in message by issuer self-signed cert
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status
CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking certificate using self signed certificate
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying cert in message by issuer self-signed cert
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status
pix515(config)#
CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking certificate using self signed certificate
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying cert in message by issuer self-signed cert
CRYPTO_PKI: status = 324: failed to verify
CRYPTO_PKI: transaction GetCACert completed
Crypto CA thread sleeps!
CI thread wakes up!
pix515(config)# pix515(config)# ca enroll vpn-ca 123456
% No CA root cert exists. Use "ca authenticate"
10-18-2005 07:45 AM
I think what you are missing is the "ca identity...." command on the PIX. After configuring the hostname and domain-name on PIX, this is the first command needed to configure the PIX to use CA for authentication. Also, did you generate the RSA key using the command "ca generate key...." command.
See the link below for configuring the PIX to use CA for IKE authentication.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm#wp1036081
10-19-2005 07:03 AM
Hi, i have done that but thanks for your response. I have managed to solve the problem.Did a debug crypto ca adn noticed that the issue was not with the pix but with the ca server. i reloaded scep and that solved the problem.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide