Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX and Microsoft CA woes

As subject:

I've been trying to get PIX with MS SCEP working (6.2(2) and 6.3(x) code both exhibit the same error). All I get when trying to auth the CA server is the following:

CI thread sleeps!

Crypto CA thread wakes up!

CRYPTO_PKI: http connection opened

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

msgsym(GETCARACERT, CRYPTO)!

%Error in connection to Certificate Authority: status = FAIL

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: WARNING: A certificate chain could not be constructued while selecting certificate status

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: WARNING: A certificate chain couold not be constructed while selecting certificate status

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not get decoded name

CRYPTO_PKI: transaction GetCACert completed

Crypto CA thread sleeps!

CI thread wakes up!

It connects via HTTP fine, as the webserver logs show what appears to be a correct GET request (/certsrv/mscep/mscep.dll) and the debug shows:

CRYPTO_PKI: http connection opened

Getting certs via web browser seems to work ok

Using IOS routers works fine (12.2.17) as well.

Only thing I can think of is maybe MS Update updatd SCEP to something that PIXies dont understand but routers do e.g. Like the Win2003 SCEP update with requires IOS 12.2.6 or greater.

Any thoughts, as this is really annoying me now

3 REPLIES
Bronze

Re: PIX and Microsoft CA woes

Hi,

PIX cannot retrieve root/ID certificate to a Microsoft CA

Enterprise server running as a subordinate.

If you're running one, try and run it as standalone CA.

thx

Afaq

New Member

Re: PIX and Microsoft CA woes

Thanks for the idea, however it is already a standalone :(

I've managed to track some of the problem to a * char in the organisation name (Strange that routers accept it, and PIXies dont), and having rebuilt the CA without this issue how get the following error:

CRYPTO_PKI: http connection opened

CRYPTO_PKI: WARNING: A certificate chain couold not be constructed while selecting certificate status

CRYPTO_PKI: WARNING: A certificate chain couold not be constructed while selecting certificate status

msgsym(GETCARACERT, CRYPTO)!

%Error in connection to Certificate Authority: status = FAIL

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: transaction GetCACert completed.

I think this may be related to lack of CA name FQDN on the MS Certificate server side.

New Member

Re: PIX and Microsoft CA woes

Gareth,

check your IIS configuration, especially Execute Permissions (should be Scripts and Executables!) and Application Protection (should be Low (IIS process)) in certsrv virtual directory.

That solved my problem ;)

BR, Rok

312
Views
0
Helpful
3
Replies
CreatePlease to create content