02-08-2008 02:32 AM
Hi, I'm wondering about the requirements for RA certificates to enroll with a Cisco VPN Client.
I'm using Cisco VPN Client 5.0 on windows XP towars an EJBCA CA.
The CA is set up with a simple Root CA for SCEP.
If I enroll directly with the CA all works fine.
I have set up an RA, where the RA certificate is signed directly by the CA. My RA certificate has keyUsage digitalSignature and keyEncipherment and basicContraints=false.
When I try to enroll with the RA I get this message:
-----
41 11:29:28.890 02/08/08 Sev=Info/4 CERT/0x63600022
Setting key size of 2048 for pkcs10 request.
42 11:29:29.375 02/08/08 Sev=Warning/2 CERT/0xE3600016
Failure on: Locating RA Encryption Certificate.
-----
The RA sends the RA and CA certificate to the VPN client with mime-type application/x-x509-ca-ra-cert. The VPN client even stores the certificates, and says both the RA and the CA cert is valid.
Why will the VPN client no accept the RA certificate as an RA encryption certificate?
Regards,
Tomas
02-14-2008 06:54 AM
Make sure the domian name matches. FQDN and hostname are the primary isakmp ID methods with Cisco products. Refer http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/idcentr.htm for more information.
02-15-2008 07:15 AM
Sorry but that does not work. I tried adding setting both common namd and DNS altName to foohost.foo.com, and enrolling with a URL with this hostname to my RA. The VPN client still will not accept the RAs certificate as an RA encryption certificate.
Cheers,
Tomas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide