PKI enrollment question

From: secondie (secondie@gmail.com)
Date: Sat Nov 04 2006 - 10:14:41 ART

• Next message: Scott Morris: "RE: Ping time of minus!"
• Previous message: Richard Dumoulin: "RE : IE Core WB Lab 3 Task 4.5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

When I enroll from a router as below, debug tells me unresolved IP
addresses:

crypto ca trustpoint server
 enrollment mode ra
 enrollment url http://195.1.134.100:80/certsrv/mscep/mscep.dll
 crl optional

R5(config)#cry ca enroll server
Can not select my full public key (R5.trinetnt.com)% Start certificate
enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the
configuration.
   Please make a note of it.

Password:
Re-enter password:

% The fully-qualified domain name in the certificate will be:
R5.trinetnt.com
% The subject name in the certificate will be: R5.trinetnt.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.

R5(config)#
    Signing Certificate Reqeust Fingerprint:
    9021972F B93A18BC C82F3551 D0D88EE3

Nov 4 12:59:22.411: CRYPTO_PKI: Sending CA Certificate Request:
GET
/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=server
HTTP/1.0

Nov 4 12:59:22.411: CRYPTO_PKI: can not resolve server name/IP address
Nov 4 12:59:22.411: CRYPTO_PKI: Using unresolved IP Address 195.1.134.100
Nov 4 12:59:22.419: CRYPTO_PKI: http connection opened
Nov 4 12:59:22.943: CRYPTO_PKI: HTTP response header:
 HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 04 Nov 2006 12:58:53 GMT
Content-Length: 2546
Content-Type: application/x-x509-ca-ra-cert

Content-Type indicates we have received CA and RA certificates.

Nov 4 12:59:22.947: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=server)

Nov 4 12:59:23.455: The PKCS #7 message contains 3 certificates.
Nov 4 12:59:23.527: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

Nov 4 12:59:23.603: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

Nov 4 12:59:23.615: CRYPTO_PKI: transaction PKCSReq completed
Nov 4 12:59:23.615: CRYPTO_PKI: status:
Nov 4 12:59:23.967: CRYPTO_PKI: can not resolve server name/IP address
Nov 4 12:59:23.967: CRYPTO_PKI: Using unresolved IP Address 195.1.134.100
Nov 4 12:59:23.979: CRYPTO_PKI: http connection opened Encryption
Certificate Request Fingerprint:
    344B627A E36CCA6D 2E1E5420 0044A957

Nov 4 12:59:26.331: CRYPTO_PKI: can not resolve server name/IP address
Nov 4 12:59:26.331: CRYPTO_PKI: Using unresolved IP Address 195.1.134.100
Nov 4 12:59:26.343: CRYPTO_PKI: http connection opened
Nov 4 12:59:28.347: CRYPTO_PKI: received msg of 1762 bytes
Nov 4 12:59:28.347: CRYPTO_PKI: HTTP response header:
 HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 04 Nov 2006 12:58:57 GMT
Content-Length: 1616
Content-Type: application/x-pki-message

Nov 4 12:59:29.483: The PKCS #7 message has 1 verified signers.
Nov 4 12:59:29.483: signing cert: issuer=cn=cciesec-ca,c=US614832E01000B
Nov 4 12:59:29.483: Signed Attributes:

Nov 4 12:59:29.487: CRYPTO_PKI: status = 100: certificate is granted
Nov 4 12:59:29.491: pkcs7 open envelope failed (0x708):
Nov 4 12:59:29.491: CRYPTO_PKI: status = 1800: failed to open the envelope
Nov 4 12:59:29.491: %CRYPTO-6-CERTFAIL: Certificate enrollment failed.
R5(config)#
R5(config)#
R5(config)#cry isa identity add
R5(config)#cry isa identity address ?
  <cr>

R5(config)#cry isa identity address
R5(config)#
R5(config)#
R5(config)#
R5(config)#cry ca enroll server
Error: There is an enrollment transaction in progress.
Please wait or abort the current enrollment before
starting a new enrollment transaction.
R5(config)#cry ca enroll server
Nov 4 12:59:49.499: CRYPTO_PKI: received msg of 1762 bytes
Nov 4 12:59:49.499: CRYPTO_PKI: HTTP response header:
 HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 04 Nov 2006 12:58:59 GMT
Content-Length: 1616
Content-Type: application/x-pki-message

Nov 4 12:59:50.615: The PKCS #7 message has 1 verified signers.
Nov 4 12:59:50.615: signing cert: issuer=cn=cciesec-ca,c=US614832E01000B
Nov 4 12:59:50.615: Signed Attributes:

Nov 4 12:59:50.619: CRYPTO_PKI: status = 100: certificate is granted
Nov 4 12:59:50.623: pkcs7 open envelope failed (0x708):
Nov 4 12:59:50.623: CRYPTO_PKI: status = 1800: failed to open the envelope
Nov 4 12:59:50.623: %CRYPTO-6-CERTFAIL: Certificate enrollment failed.

**** But if I add host entry for my CERT SERVER and change the URL to
use hostname instead, it works. Server205 is the actual name of the MS
Server running Cert Server.

ip host server205 195.1.134.100
!
i
!
crypto ca trustpoint server
 enrollment mode ra
 enrollment url http://server205:80/certsrv/mscep/mscep.dll
 crl optional

Two questions:
1. Every example I see any where, uses IP addresses and NO host entries.
What am I doing wrong here ?
2. can I expect to get the hostname for the Cert Server in the lab ?

TIA
-secondie

• Next message: Scott Morris: "RE: Ping time of minus!"
• Previous message: Richard Dumoulin: "RE : IE Core WB Lab 3 Task 4.5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART