pix with microsoft ca server

From: Driessens.Hans (hans.driessens@siemens.com)
Date: Mon Dec 15 2003 - 12:51:17 GMT-3

• Next message: Soup Shi: "comfort noise"
• Previous message: Brian Feeny: "Whats an Academy ID?"
• Next in thread: Jim: "RE: pix with microsoft ca server"
• Maybe reply: Jim: "RE: pix with microsoft ca server"
• Maybe reply: Driessens.Hans: "RE: pix with microsoft ca server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi group

does anybody have experience with the pix and ca for isakmp authentication?
I'm trying to set this up but I keep getting strange errors when I ask for
CA for its own cert. I did the following things:

0- setup ip and routing
1- domain-name
2- set the clock
3- create rsa key pair
4- create ca identity and config
5- trying to authenticate

config snip pix
-=-
hostname pix
domain-name siemens.lab
ca identity ca3 144.251.2.100:/certsrv/mscep/mscep.dll
ca configure ca3 ra 5 5 crloptional
-=-

pix(config)# sh clock
16:44:07.233 UTC Mon Dec 15 2003
pix(config)# show ca mypubkey rsa
% Key pair was generated at: 15:38:44 UTC Dec 15 2003
Key name: pix.siemens.lab
 Usage: General Purpose Key
 Key Data:
  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c6da21
  c8bd16c5 f9d4d06b 7fd8d58c 1a4ef121 ff7dc5bd 7121c2a2 26f9e355 48a60dba
  748b2e7a 869be1bd a6b0388b d3ca7590 50c44c6b 57076b8c 41b8b4db a180ce4e
  eba03a28 14f74ca5 9a658827 4afe4b05 c5db0726 6a343321 f10dcb67 058c6fba
  794f3375 79301301 031849fa cbca6baf 9c447324 0e113920 70830457 71020301
0001
pix(config)#

this looks good to me but the following happens:
===========================================================
pix(config)# ca authent ca3

CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
PKI: key generation process has been running for 10 seconds
msgsym(GETCARACERT, CRYPTO)!
%Error in connection to Certificate Authority: status = FAIL

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while
selecting certificate status

CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking
certificate using self signed certificate

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while
verifying cert in message by issuer self-signed
 cert
<--the previous three messages occur 4 times in a row-->

CRYPTO_PKI: status = 324: failed to verify
CRYPTO_PKI: transaction GetCACert completed
Crypto CA thread sleeps!
CI thread wakes up!
pix(config)#
=============================================================

anybody a clue to what might be wrong???
(If I check the log of the ca server I can see that the request reached the
ca. I've got two routers with ipsec/ca with the same ca and that works fine.
The ca is from microsoft win2k with mscep addon installed, release notes pix
say that it must work)

Hans

• Next message: Soup Shi: "comfort noise"
• Previous message: Brian Feeny: "Whats an Academy ID?"
• Next in thread: Jim: "RE: pix with microsoft ca server"
• Maybe reply: Jim: "RE: pix with microsoft ca server"
• Maybe reply: Driessens.Hans: "RE: pix with microsoft ca server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:41 GMT-3