cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1143
Views
0
Helpful
21
Replies

The PIX with CA problem?

sunrise_zhang
Level 1
Level 1

When I first success install and configuring the CA server(win2k advanced) and SCEP, My PIX535 could getting the certificate and enroll to CA successful.

But when I reinstall the CA program and SCEP, My PIX535 could get the certificate from CA server too, but couldn't enroll to the CA server. It says no CA root cert exist. even I try lots of times. Bellow are the procedures for example:

PIX535(config)# ca id myca 172.16.1.2:/certsrv/mscep/mscep.dll

PIX535(config)# ca config myca ra 1 5

PIX535(config)# ca authen myca

#then I went to my CA links: 172.16.1.2:/certsrv/mscep/mscep.dll£¬input the username and password to get the password: xxxx

PIX535(config)# ca enroll myca xxxx

% No CA root cert exists. Use "ca authenticate"

#retrys,to get another password: xxxx

PIX535(config)# ca enroll myca xxxx

% No CA root cert exists. Use "ca authenticate"

PIX535(config)# sh ca cert

CA Certificate

Status: Available

Certificate Serial Number: xxxx

Key Usage: Signature

CN = MYNET

OU = MYNETWORK

O = NETWORK

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> JACKY@HZCNC.COM

Validity Date:

start date: 01:54:56 Beijing Feb 6 2004

end date: 02:04:56 Beijing Feb 6 2005

CA Certificate

Status: Available

Certificate Serial Number: xxxx

Key Usage: Encryption

CN = MYNET

OU = MYNETWORK

O = NETWORK

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> JACKY@HZCNC.COM

Validity Date:

start date: 01:54:56 Beijing Feb 6 2004

end date: 02:04:56 Beijing Feb 6 2005

CA Certificate

Status: Available

Certificate Serial Number: xxxx

Key Usage: Signature

CN = MYNET

OU = MYNETWORK

O = NETWORK

L = HANGZHOU

ST = ZHEJIANG

C = CN

EA =<16> JACKY@HZCNC.COM

Validity Date:

start date: 01:42:41 Beijing Feb 6 2004

end date: 01:46:25 Beijing Feb 6 2006

PIX535# sh ca mypub rsa

% Key pair was generated at: 09:20:43 Beijing Feb 5 2004

Key name: PIX535.MYNET.COM

Usage: General Purpose Key

Key Data:

xxxxx

% Key pair was generated at: 10:32:46 Beijing Feb 5 2004

Key name: PIX535.MYNET.COM.server

Usage: Encryption Key

Key Data:

xxxxxx

tell me what's the problems? thank you very much.

21 Replies 21

Hi,

have you used the Microsoft Enteprise CA or the standalone CA?

Thanks

Chiara

Were you ever able to get this working? I have the exact smae problem but cannot fix it.

I have been able to enroll for my certificates on the PIX and on the client but still get the "remote peer no longer responding".

If you were able to solve this I hope you will tell me how.

HELP!!!

Hi ,

I've the same problem.

I'm using the Windows2003 version you mentioned but still receiving the error

NO ROOT CA CERT EXISTS

do you have any idea ?

The problem was not solved so far, I have ever opened a case for this, but not been solved yet, Case does not know what reason has been closed , I am so sad .

I opened a ticket and the tech DID solve the problem for me. Perhaps you could refer the tech you are working with to my ticket 600452063 for the solution. If I correctly understand the changes made by the tech on my PIX, I had to upgrade the encryption to aes or 3des in order to get certificates to work.

I've attached the relevant protion of my config.

are you using an enterprise CA or a standalone CA ?

thanks

Stefano Colombo

Stand-alone CA which I believe is required. You also need SCEP installed in the form of MSCEP.DLL. There is a post higher up in this thread with a link to info about this. I am using W2000 so I don't know much detail about it in W2003.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: