cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1142
Views
0
Helpful
21
Replies

The PIX with CA problem?

sunrise_zhang
Level 1
Level 1

When I first success install and configuring the CA server(win2k advanced) and SCEP, My PIX535 could getting the certificate and enroll to CA successful.

But when I reinstall the CA program and SCEP, My PIX535 could get the certificate from CA server too, but couldn't enroll to the CA server. It says no CA root cert exist. even I try lots of times. Bellow are the procedures for example:

PIX535(config)# ca id myca 172.16.1.2:/certsrv/mscep/mscep.dll

PIX535(config)# ca config myca ra 1 5

PIX535(config)# ca authen myca

#then I went to my CA links: 172.16.1.2:/certsrv/mscep/mscep.dll£¬input the username and password to get the password: xxxx

PIX535(config)# ca enroll myca xxxx

% No CA root cert exists. Use "ca authenticate"

#retrys,to get another password: xxxx

PIX535(config)# ca enroll myca xxxx

% No CA root cert exists. Use "ca authenticate"

PIX535(config)# sh ca cert

CA Certificate

Status: Available

Certificate Serial Number: xxxx

Key Usage: Signature

CN = MYNET

OU = MYNETWORK

O = NETWORK

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> JACKY@HZCNC.COM

Validity Date:

start date: 01:54:56 Beijing Feb 6 2004

end date: 02:04:56 Beijing Feb 6 2005

CA Certificate

Status: Available

Certificate Serial Number: xxxx

Key Usage: Encryption

CN = MYNET

OU = MYNETWORK

O = NETWORK

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> JACKY@HZCNC.COM

Validity Date:

start date: 01:54:56 Beijing Feb 6 2004

end date: 02:04:56 Beijing Feb 6 2005

CA Certificate

Status: Available

Certificate Serial Number: xxxx

Key Usage: Signature

CN = MYNET

OU = MYNETWORK

O = NETWORK

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> JACKY@HZCNC.COM

Validity Date:

start date: 01:42:41 Beijing Feb 6 2004

end date: 01:46:25 Beijing Feb 6 2006

PIX535# sh ca mypub rsa

% Key pair was generated at: 09:20:43 Beijing Feb 5 2004

Key name: PIX535.MYNET.COM

Usage: General Purpose Key

Key Data:

xxxxx

% Key pair was generated at: 10:32:46 Beijing Feb 5 2004

Key name: PIX535.MYNET.COM.server

Usage: Encryption Key

Key Data:

xxxxxx

tell me what's the problems? thank you very much.

21 Replies 21

jsivulka
Level 5
Level 5

I'm not sure as to what you mean by "reinstall the CA program". The PIXOS version is not mentioned either. Depending on your version, some of the bugs that could be relevant to you are CSCdr53834, CSCdr53799, CSCdz28330 and CSCdt60308.

d-garnett
Level 3
Level 3

first off make sure that you are saving your Keys

"ca save all" or you will loose them.

as far as your current issue..........

that happened to me many times using Win2000 Server. I could never get it to work with Win2000 Server. I was using the wrong version of SCEP (cepsetup.exe) and MSCEP.DLL was not registered with the web service IIS. MAKE SURE THAT MSCEP.DLL IS REGISTERED WITH IIS OR IT WILL FAIL. There are versions of SCEP that have bugs (the one I had). They say the one that comes with the Windows 2000 security resource kit should work fine.

I have no problems using it on Win2003 Server.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9f306763-d036-41d8-8860-1636411b2d01

this is from my site, scroll down to the part where it says "Configuring Certificate-Based VPN Connections"

http://www.getconnected-it.com.phtemp.com/infoarch.html

thanks above two professionals, according to your replies, I reconfiguring my CA server again, and reregistrating the MSCEP.dll by use "regsvr32 c:\\winnt\system32\certsrv\mscep\MSCEP.dll".

Now, I can enroll my VPN client's personal certificate to CA server successful, but my PIX still couldn't enroll to CA server(my pix has the OS version 6.3(3) UNR), but at this time, the problem are different to aboved, when I enroll to CA server, it show me the correct information and waiting for the certificate issues from CA server, then I essured the certificate requet on CA server for PIX, the pending status are still stay on my pix , look at the procedures:

PIX535(config)# ca z rsa

PIX535(config)# clea ca

PIX535(config)#

PIX535(config)#

PIX535(config)#

PIX535(config)# ca gen rsa key 1024

For >= 1024, key generation could

take up to several minutes. Please wait.

Keypair generation process begin.

.Success.

PIX535(config)#

PIX535(config)# ca

CIERR: The ca command requires at least one option!

Usage: ca generate rsa key|specialkey

[no] ca identity [

[:] []]

[show] ca configure [ca|ra

[crloptional]]

ca authenticate []

[no] ca enroll [serial] [ipaddress]

[no] ca save all

show ca certificate

show ca mypubkey rsa

ca zeroize rsa

[no | show] ca crl [request ]

[no | show] ca subject-name []

[no | show] ca verifycertdn []

PIX535(config)#

PIX535(config)#

PIX535(config)#

PIX535(config)# ca id CA-SERVER 172.16.1.2:/certsrv/mscep/mscep.dll

PIX535(config)# ca config CA-SERVER ra 1 3 crl

PIX535(config)# ca authen CA-SERVER

PIX535(config)#

PIX535(config)#

PIX535(config)# ca enroll CA-SERVER 15780FD38160179E

%

% Start certificate enrollment ..

% The subject name in the certificate will be: PIX535.MYNET.COM

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

PIX535(config)#

CRYPTO_PKI: status = 102: certificate request pending

CRYPTO_PKI: status = 102: certificate request pending

PIX535(config)#

PIX535(config)#

PIX535(config)# sh ca cert

RA Signature Certificate

Status: Available

Certificate Serial Number: 610b6905000000000002

Key Usage: Signature

CN = RA-SERVER

OU = QWARETECH

O = QWARE

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> ZHANGXS@QWARE.COM

Validity Date:

start date: 23:38:19 Beijing Feb 11 2004

end date: 23:48:19 Beijing Feb 11 2005

CA Certificate

Status: Available

Certificate Serial Number: 33349ce63827cf884beb83ec4ed378c0

Key Usage: Signature

CN = CA-SERVER

OU = QWARETECH

O = QWARE

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> ZHANGXS@QWARE.COM

Validity Date:

start date: 23:34:51 Beijing Feb 11 2004

end date: 23:42:01 Beijing Feb 11 2006

RA KeyEncipher Certificate

Status: Available

Certificate Serial Number: 610b69b1000000000003

Key Usage: Encryption

CN = RA-SERVER

OU = QWARETECH

O = QWARE

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> ZHANGXS@QWARE.COM

Validity Date:

start date: 23:38:20 Beijing Feb 11 2004

end date: 23:48:20 Beijing Feb 11 2005

Certificate

Subject Name

Name: PIX535.MYNET.COM

Status: Pending

Key Usage: General Purpose

Fingerprint: ae58384a 253f3e37 b2f6ef0e c8cea305

i'd try using the command to get the Certification Revocation List as an option

ca configure YOUR-RA-NAME ra 2 2 crl optional

sometimes the CRL can hang things up

But why my pix couldn't enroll to the CA server ,even the first time to enroll the certificate to the CA server,but not from the CRL.

And when I use "ca config CA-SERVER ra 2 2 crl", it still couldn't get a success message from CA server,and still stay in pending status.

if your RA (CA) is NOT setup to automatically issue the certificate this will happen. It will stay pending.

the CA that you are using SCEP on should be seperate than your other CA's. Make sure that that CA (the RA running SCEP) is set up to automatically issue the certificate. Look in the Certificate Services MMC and Make sure that

1) you have no Certificates "pending"

2) Make sure that it is set up to "automatically issue the cert" many people chose not to require a Challenge phrase to enroll when they setup the CA that routers use ( iwould only use this as a test method to make sure that it is operational).

Great! Successful! Thank you very very much!

But there has an another problem, after my pix enroll to CA server successful, then I enroll my vpn client personal certificate to CA server successful.Then I change the IPSec VPDN configuration at pix from " isakmp policy 10 authentication pre-share" to "isakmp policy 10 authentication rsa-sig".

And make the authentication method based on " Group/password " of Pre-share of my VPN client into the authentication method of the certificate.

When I try to dial to the pix vpn gateway, It says "remote peer no longer responding", what's the problem?

Why are you changing the configuration if it is sucessful?

you have 2 choices when it comes to authenticating clients and devices in IKE phase 1 (it's an either/or process)

1) GroupName/Password (pre-shared key)

2) digital certificates (rsa-sig)

there is also rsa-encr key option but i never use it.

If you would like to authenticate the mobile clients (laptops, home users --> VPN) based on GroupName and Password AND also authenticate other Network devices (Routers, Firewalls) based on digital certificates using SCEP, then you need to define 2 IKE Phase 1 policies.

1) one for the network devices

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des (or 3des if you use it)

isakmp policy 10 group 1 (or DH group 2 if you use it)

isakmp policy 10 lifetime 86400 (or whatever you use)

isakmp policy 10 hash sha (since you are using rsa-sigs)

2) for the mobile clients (Running VPN Client Software)

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des (or 3des if you use it)

isakmp policy 20 group 2 (since this is for the Software VPN Client)

isakmp policy 20 lifetime 86400 (or whatever you use)

isakmp policy 20 hash md5 (since you are using groupname/password)

You must use a dynamic crypto map for those running Cisco VPN Client since you may not know the source IP address beforehand.

Thank you very much,but I want to try the mobile client to use the authentication method based digital certificates, so I change the configuration on pix to "rsa-sig", but fails.

But when I use the pre-share for mobile client, it

works very good.

I just use a Cisco3640 and the IOS "c3640-ik9s-mz.122-15.T5.bin" to emulate the PIX for IPSev VPDN with digital certificate and Xauth(radius) authentication.

The symptom same as PIX, when I enroll cisco3640 and client to CA server successful,and then try to dial to the VPN gateway, the log says "%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.1.1.2 is bad: CA request failed!".

It meens my certificate is invalid or expire, but my personal certificate is just to get from CA server, How can I overcome this problem?

have you configured the VPN client to use Certificates for Authentication? I am assuming that you have imported into the MS Certificate Store.

I have enrolled my vpn client to CA server though network method and got four certificate:

1. A personal certificate in cisco store

2. A CA certificate

3. Two RA certificate

Then I configured my VPN client to use Certificate for authentication, and change VPN gateway to use "rsa-sig" for authentication.

When I dial to VPN gateway, but fails.

are you using sha as your hash method?

did you use sha (the default) when you set up the RA?

what error does the end device give you in the debugs?

do you get 'atts are acceptable' and then it fails processing the cert or do you get 'no atts are acceptable?

there is plenty of documentation here on cisco.com as well as configuration examples. i suggest you dig around a little more.

I using md5 for my hash method

There is a message means my vpn client certificate invalid after i get "atts are acceptable":

%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.1.1.2 is bad: CA request failed!

but I donn't known how to overcome this problem. could you tell me?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: