Re: VPN Client and RA Enroll fails

tshredder · ‎02-08-2008

Hi, I'm wondering about the requirements for RA certificates to enroll with a Cisco VPN Client.

I'm using Cisco VPN Client 5.0 on windows XP towars an EJBCA CA.

The CA is set up with a simple Root CA for SCEP.

If I enroll directly with the CA all works fine.

I have set up an RA, where the RA certificate is signed directly by the CA. My RA certificate has keyUsage digitalSignature and keyEncipherment and basicContraints=false.

When I try to enroll with the RA I get this message:

-----

41 11:29:28.890 02/08/08 Sev=Info/4 CERT/0x63600022

Setting key size of 2048 for pkcs10 request.

42 11:29:29.375 02/08/08 Sev=Warning/2 CERT/0xE3600016

Failure on: Locating RA Encryption Certificate.

-----

The RA sends the RA and CA certificate to the VPN client with mime-type application/x-x509-ca-ra-cert. The VPN client even stores the certificates, and says both the RA and the CA cert is valid.

Why will the VPN client no accept the RA certificate as an RA encryption certificate?

Regards,

Tomas

irisrios · ‎02-14-2008

Make sure the domian name matches. FQDN and hostname are the primary isakmp ID methods with Cisco products. Refer http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/idcentr.htm for more information.

tshredder · ‎02-15-2008

Sorry but that does not work. I tried adding setting both common namd and DNS altName to foohost.foo.com, and enrolling with a URL with this hostname to my RA. The VPN client still will not accept the RAs certificate as an RA encryption certificate.

Cheers,

Tomas