RE: IPSEC and CA

From: Stefan Grey (examplebrain@hotmail.com)
Date: Sun Jul 09 2006 - 14:32:40 ART

• Next message: Sami: "Re: OSPF authentication using rollover keys"
• Previous message: Jon Hein: "Re: EIGRP Authentication"
• Maybe in reply to: Stefan Grey: "IPSEC and CA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The time is just ok.

Below is the debug:

R3#debug crypto pki tra
R3#debug crypto pki transactions
Crypto PKI Trans debugging is on
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#crypto ca enr
R3(config)#crypto ca enroll server
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The fully-qualified domain name in the certificate will be:
R3.trinetnt.com
% The subject name in the certificate will include: R3.trinetnt.com %
Include the router serial number in the subject name? [yes/no]: no % Include
an IP address in the subject name? [no]: no Request certificate from CA?
[yes/no]: yes % Certificate request sent to Certificate Authority % The
'show crypto ca certificate server verbose' commandwill show the
fingerprint.

R3(config)#
Jun 1 06:07:34.671: CRYPTO_PKI: Sending CA Certificate Request:
GET
/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=server
HTTP/1.0

Jun 1 06:07:34.671: CRYPTO_PKI: can not resolve server name/IP address Jun 1
06:07:34.671: CRYPTO_PKI: Using unresolved IP Address 195.1.134.100 Jun 1
06:07:34.675: CRYPTO_PKI: http connection opened Jun 1 06:07:35.207:
CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 09 Jul 2006 12:47:09 GMT
Content-Length: 2550
Content-Type: application/x-x509-ca-ra-cert

Content-Type indicates we have received CA and RA certificates.

Jun 1 06:07:35.207: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=server)

Jun 1 06:07:35.391: The PKCS #7 message contains 3 certificates.
Jun 1 06:07:35.439: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

Jun 1 06:07:35.487: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

Jun 1 06:07:35.491: CRYPTO_PKI: transaction R3(config)# PKCSReq completed
Jun 1 06:07:35.491: CRYPTO_PKI: status: CRYPTO_PKI: Fingerprint: E14FE0E6
F3FB976F 5E6DB9EF 728FB251 Jun 1 06:07:35.559:
Jun 1 06:07:35.835: CRYPTO_PKI: can not resolve server name/IP address Jun 1
06:07:35.835: CRYPTO_PKI: Using unresolved IP Address 195.1.134.100 Jun 1
06:07:35.839: CRYPTO_PKI: http connection opened Jun 1 06:07:37.291:
CRYPTO_PKI: received msg of 671 bytes Jun 1 06:07:37.291: CRYPTO_PKI: HTTP
response header:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 09 Jul 2006 12:47:11 GMT
Content-Length: 526
Content-Type: application/x-pki-message

Jun 1 06:07:37.743: The PKCS #7 message has 1 verified signers.
Jun 1 06:07:37.747: signing cert: issuer=cn=NetLab Rentals
LLC,c=US344519E3000002
Jun 1 06:07:37.747: Signed Attributes:

Jun 1 06:07:37.747: CRYPTO_PKI: status = 101: certificate request is
rejected Jun 1 06:07:37.747: CRYPTO_PKI: Fail Info=2 Jun 1 06:07:37.747:
CRYPTO_PKI: All enrollment requests completed for trustpoint server.
Jun 1 06:07:37.747: %CRYPTO-6-CERTREJECT: Certificate enrollment request was
rejected by Certificate Authority Jun 1 06:07:37.747: CRYPTO_PKI: All
enrollment requests completed for trustpoint server.
Jun 1 06:07:37.747: CRYPTO_PKI: All enrollment requests completed for
trustpoint server.
Jun 1 06:07:37.751: CRYPTO_PKI: All enrollment requests completed for
trustpoint server.
R3(config)#
R3(config)#

>From: "David Mitchell" <dmitchell@centientnetworks.com>
>Reply-To: "David Mitchell" <dmitchell@centientnetworks.com>
>To: "Stefan Grey" <examplebrain@hotmail.com>, <ccielab@groupstudy.com>
>Subject: RE: IPSEC and CA
>Date: Sun, 9 Jul 2006 11:25:58 -0400
>
>Before going too crazy troubleshooting it, make sure that the date and
>time are the same on your router and server. It will reject a
>certificate if the dates are wrong.
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Stefan Grey
>Sent: Saturday, July 08, 2006 3:10 PM
>To: ccielab@groupstudy.com
>Subject: IPSEC and CA
>
>Hello all
>
>I have a CA on PC. The address of the pc is 195.1.134.100. Directly to
>it is
>connected the router. The router can ping the PC. But the attemt to
>authenticate and receive the CA from this fails.
>
>R5(config)#ip domain-name cisco.com
>R5(config)#crypto generate key rsa
>R5(config)#crypto ca trustpoint server
>R5(ca-trustpoint)#enrollment url
>http://195.1.134.100/certsrv/mscep/mscep.dll
>R5(ca-trustpoint)#enrollment mode ra
>R5(ca-trustpoint)#crl optional
>
>R5(config)#crypto ca authenticate server % Error in receiving
>Certificate
>Authority certificate: status = FAIL, cert length = 0
>
>
>Should something be configured on the CA as well to use it??? What can
>you
>say?? Maybe url is wrong. What can be the issue. Maybe CA should be
>somehow
>tuned??
>
>Thanks
>
>Stefan.
>
>_________________________________________________________________
>Find a baby-sitter FAST with MSN Search! http://search.msn.ie/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Sami: "Re: OSPF authentication using rollover keys"
• Previous message: Jon Hein: "Re: EIGRP Authentication"
• Maybe in reply to: Stefan Grey: "IPSEC and CA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART