From: Jim (systemboard@excite.com)
Date: Tue Dec 16 2003 - 04:09:30 GMT-3
Hi Hans,
Are you approving the request in the CA server? If not, you will have to approve the issuance of the Cert for it to be sent back to the router.
JT
--- On Mon 12/15, Driessens.Hans < hans.driessens@siemens.com > wrote:
From: Driessens.Hans [mailto: hans.driessens@siemens.com]
To: security@groupstudy.com, ccielab@groupstudy.com
Date: Mon, 15 Dec 2003 16:51:17 +0100
Subject: pix with microsoft ca server
Hi group<br><br>does anybody have experience with the pix and ca for isakmp authentication?<br>I'm trying to set this up but I keep getting strange errors when I ask for<br>CA for its own cert. I did the following things:<br><br>0- setup ip and routing<br>1- domain-name<br>2- set the clock <br>3- create rsa key pair<br>4- create ca identity and config<br>5- trying to authenticate<br><br><br>config snip pix<br>-=-<br>hostname pix<br>domain-name siemens.lab<br>ca identity ca3 144.251.2.100:/certsrv/mscep/mscep.dll<br>ca configure ca3 ra 5 5 crloptional<br>-=-<br><br>pix(config)# sh clock<br>16:44:07.233 UTC Mon Dec 15 2003<br>pix(config)# show ca mypubkey rsa<br>% Key pair was generated at: 15:38:44 UTC Dec 15 2003<br>Key name: pix.siemens.lab<br> Usage: General Purpose Key<br> Key Data:<br> 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c6da21<br> c8bd16c5 f9d4d06b 7fd8d58c 1a4ef121 ff7dc5bd 7121c2a2 26f9e355 48a60dba<br> 748b2e7a 869be1bd a6b0388b d3ca75!
90 50c44c6b 57076b8c 41b8b4db a180ce4e<br> eba03a28 14f74ca5 9a658827 4afe4b05 c5db0726 6a343321 f10dcb67 058c6fba<br> 794f3375 79301301 031849fa cbca6baf 9c447324 0e113920 70830457 71020301<br>0001<br>pix(config)#<br><br><br>this looks good to me but the following happens:<br>===========================================================<br>pix(config)# ca authent ca3<br><br>CI thread sleeps!<br>Crypto CA thread wakes up!<br>CRYPTO_PKI: http connection opened<br>PKI: key generation process has been running for 10 seconds<br>msgsym(GETCARACERT, CRYPTO)!<br>%Error in connection to Certificate Authority: status = FAIL<br><br>CRYPTO_PKI: WARNING: A certificate chain could not be constructed while<br>selecting certificate status<br><br>CRYPTO_PKI: WARNING: Invalid signature on certificate or CRL while checking<br>certificate using self signed certificate<br><br>CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while<br>verifying cert in message by issuer self-si!
gned<br> cert<br><--the previous three messages occur 4 times !
in a row
--><br><br>CRYPTO_PKI: status = 324: failed to verify<br>CRYPTO_PKI: transaction GetCACert completed<br>Crypto CA thread sleeps!<br>CI thread wakes up!<br>pix(config)#<br>=============================================================<br><br>anybody a clue to what might be wrong???<br>(If I check the log of the ca server I can see that the request reached the<br>ca. I've got two routers with ipsec/ca with the same ca and that works fine.<br>The ca is from microsoft win2k with mscep addon installed, release notes pix<br>say that it must work)<br><br><br>Hans<br>
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:41 GMT-3