Re: IPSEC and CA

From: Stefan Grey (examplebrain@hotmail.com)
Date: Sun Jul 09 2006 - 09:02:41 ART

• Next message: cciemaster@shingor.net: "test"
• Previous message: sugam agrawal: "EIGRP Authentication"
• Maybe in reply to: Stefan Grey: "IPSEC and CA"
• Next in thread: David Mitchell: "RE: IPSEC and CA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello thanks...
Well assume that R3 is directly connected to the CA. Look on the obvious
config below. I can authenticate the CA but can't receive the
certificate:Oct 1 17:19:56.779: %CRYPTO-6-CERTREJECT: Certificate
enrollment request was rejected by Certificate Authority
What can be a problem in how do you think??

Please look on the output below. I use the same config as you. Yes really
the router can authenticate with CA. But still it is not able to get a
certificate from it. Look on the line which is below. Certificate is
rejected!!!!! What could be a problem in?? Could you try your configuration
and really receive the certificate??

R3#ping 195.1.134.100

!!!!!

R3#conf t

R3(config)#ip domain-name trinetnt.com

R3(config)#crypto key generate rsa

The name for the keys will be: R3.trinetnt.com

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.

How many bits in the modulus [512]:

% Generating 512 bit RSA keys ...[OK]

R3(config)#crypto ca trustpoint server

R3(ca-trustpoint)#enrollment url
http://195.1.134.100/certsrv/mscep/mscep.dll

R3(config)#crypto ca authenticate server

Certificate has the following attributes:

           Fingerprint: 9C89F543 9859A0CF 79B9AA1F 1B7CC0DB

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

R3(config)#crypto ca enroll server

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the
configuration.

   Please make a note of it.

Password:

Re-enter password:

% The fully-qualified domain name in the certificate will be:
R3.trinetnt.com

% The subject name in the certificate will include: R3.trinetnt.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The 'show crypto ca certificate server verbose' commandwill show the
fingerprint.

R3(config)#CRYPTO_PKI: Fingerprint: C0378A76 687A7416 4923961F 5890088E

Oct 1 17:19:54.511:

R3(config)#

Oct 1 17:19:56.779: %CRYPTO-6-CERTREJECT: Certificate enrollment request
was rejected by Certificate Authority

R3(config)#

>From: "Richard L. Pickard" <richardlpickard@hotmail.com>
>To: "Stefan Grey" <examplebrain@hotmail.com>
>Subject: Re: IPSEC and CA
>Date: Sat, 8 Jul 2006 21:41:19 -0500
>
>
>Stefan,
>
>I have been working on this too.
>
>Is your CA server running WIN 2003 ?
>
>Thanks,
>
>Richard
>CCIE | NNCSE
>
>//
>
>----- Original Message ----- From: "Stefan Grey" <examplebrain@hotmail.com>
>To: <ccielab@groupstudy.com>
>Sent: Saturday, July 08, 2006 2:09 PM
>Subject: IPSEC and CA
>
>
>>Hello all
>>
>>I have a CA on PC. The address of the pc is 195.1.134.100. Directly to it
>>is connected the router. The router can ping the PC. But the attemt to
>>authenticate and receive the CA from this fails.
>>
>>R5(config)#ip domain-name cisco.com
>>R5(config)#crypto generate key rsa
>>R5(config)#crypto ca trustpoint server
>>R5(ca-trustpoint)#enrollment url
>>http://195.1.134.100/certsrv/mscep/mscep.dll
>>R5(ca-trustpoint)#enrollment mode ra
>>R5(ca-trustpoint)#crl optional
>>
>>R5(config)#crypto ca authenticate server % Error in receiving Certificate
>>Authority certificate: status = FAIL, cert length = 0
>>
>>
>>Should something be configured on the CA as well to use it??? What can you
>>say?? Maybe url is wrong. What can be the issue. Maybe CA should be
>>somehow tuned??
>>
>>Thanks
>>
>>Stefan.
>>
>>_________________________________________________________________
>>Find a baby-sitter FAST with MSN Search! http://search.msn.ie/
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>

• Next message: cciemaster@shingor.net: "test"
• Previous message: sugam agrawal: "EIGRP Authentication"
• Maybe in reply to: Stefan Grey: "IPSEC and CA"
• Next in thread: David Mitchell: "RE: IPSEC and CA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART