Re: PIX CA authenticating -- IOS CA --

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Fri Nov 03 2006 - 07:41:23 ART

• Next message: Zafar Khan: "Re: Privilage level"
• Previous message: haducbinh: "Privilage level"
• Maybe in reply to: Rodrigo Paes: "PIX CA authenticating -- IOS CA --"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Use

ca configure ios-ca ca 2 20 crloptional

the keyword is "CA"

IOS CA does not use RA mode. Windows CA does, and SCEP proxy
acts as RA for original CA.

HTH

2006/11/2, Rodrigo Paes <rpaes@pobox.com>:
>
> Hi all,
>
> I'm trying to get the PIX to use a cisco IOS CA... but I'm not
> having any luck here, I've set the IOS-CA folowing this link...
>
>
> http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f1fa.pdf
>
> when I try to authenticate de ca server.
>
> PIX(config)# ca identity ios-ca 172.16.1.50
> PIX(config)# ca configure ios-ca ra 2 20 crloptional
> PIX(config)#
> PIX(config)# ca authen ios-ca
>
> msgsym(GETCARACERT, CRYPTO)!
> %Error in connection to Certificate Authority: status = FAIL
> PIX(config)#
>
> I tryed changing the path to the auth script but didn't work.. tried all
> these
>
> ca identity ios-ca 172.16.1.50: 80
> ca identity ios-ca 172.16.1.50: /cgi-bin
> ca identity ios-ca 172.16.1.50: /
>
>
> however when I change the enrollment mode from RA ro CA ...
>
> PIX(config)#
> PIX(config)# ca identity ios-ca 172.16.1.50
> PIX(config)# ca configure ios-ca ca 2 20 crloptional
> PIX(config)#
> PIX(config)#
> PIX(config)# ca authen ios-ca
>
> Certificate has the following attributes:
>
> Fingerprint: e876bfbd 122d1c0e fa764a46 0a373770
> PIX(config)#
> PIX(config)# ca enroll ios-ca 512
> %
> % Start certificate enrollment ..
>
> % The subject name in the certificate will be: PIX.lab.cisco.com
>
> % Certificate request sent to Certificate Authority
> % The certificate request fingerprint will be displayed.
> PIX(config)#
> PIX(config)# Fingerprint: 8d6bc9bc 7be486ea 6a740b86 8f264cdd
>
> The certificate has been granted by CA!
>
> PIX(config)#
> PIX(config)#
>
> I did the same thing on routers, using "enrollment mode ra" and they
> worked without a glitch...
>
> so.. any ideas ? :)
>
>
> []s
> rodrigo
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Zafar Khan: "Re: Privilage level"
• Previous message: haducbinh: "Privilage level"
• Maybe in reply to: Rodrigo Paes: "PIX CA authenticating -- IOS CA --"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART