Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
2
Replies

% No CA root cert exists. Use "ca authenticate" problems

grantcampbell1
Level 1
Level 1

‎10-12-2005 05:06 AM

i am having trouble trying to request certificates on a pix 515 (Cisco PIX Firewall Version 6.3(3))

The VPN and certificate side was working before but started getting problems due to the certificate becoming invalid.To cut the long story short we had to reconfigure the pix wich has solved some issues but am not getting any where when trying to do a authenticate as the folllowing error comes up: % No CA root cert exists. Use "ca authenticate".

no matter how many times i do a CA authenticate, this error still appears.

the CA identity is ca identity my-ca CA 10.10.1.10://certsrv/mscep/mscep.dll and if i put in 10.10.1.10//certsrv/mscep/mscep.dll in a url , i end up with the scep welcome page with the CA's certificate fingerprint.

Example of steps taken with debug crypto on.

pix515(config)# ca authenticate my-ca

pix515(config)# ca enroll my-ca 123456

% No CA root cert exists. Use "ca authenticate"

pix515(config)# debug crypto ca

pix515(config)# ca authenticate my-ca

CI thread sleeps!

Crypto CA thread wakes up!

CRYPTO_PKI: http connection opened

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking certificate using self signed certificate

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying cert in message by issuer self-signed cert

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking certificate using self signed certificate

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying cert in message by issuer self-signed cert

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking certificate using self signed certificate

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying cert in message by issuer self-signed cert

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

pix515(config)#

CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking certificate using self signed certificate

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying cert in message by issuer self-signed cert

CRYPTO_PKI: status = 324: failed to verify

CRYPTO_PKI: transaction GetCACert completed

Crypto CA thread sleeps!

CI thread wakes up!

pix515(config)# pix515(config)# ca enroll vpn-ca 123456

% No CA root cert exists. Use "ca authenticate"

Labels:
0 Helpful
2 Replies 2

vkapoor5
Level 5
Level 5

‎10-18-2005 07:45 AM

I think what you are missing is the "ca identity...." command on the PIX. After configuring the hostname and domain-name on PIX, this is the first command needed to configure the PIX to use CA for authentication. Also, did you generate the RSA key using the command "ca generate key...." command.

See the link below for configuring the PIX to use CA for IKE authentication.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm#wp1036081

0 Helpful

grantcampbell1
Level 1
Level 1
In response to vkapoor5

‎10-19-2005 07:03 AM

Hi, i have done that but thanks for your response. I have managed to solve the problem.Did a debug crypto ca adn noticed that the issue was not with the pix but with the ca server. i reloaded scep and that solved the problem.

Thanks

0 Helpful
Customers Also Viewed These Support Documents