Unable to get the RA certificates on IOS

From: Kal Han (calikali2006@gmail.com)
Date: Wed Nov 15 2006 - 18:41:40 ART

• Next message: Nawaz, Ajaz: "RE: Failed yesterday RTP (again)"
• Previous message: ccie sec: "Re: Please confirm (conf#b7332929ef98273eedea3211d21dfde8)"
• Next in thread: Kal Han: "Re: Unable to get the RA certificates on IOS"
• Maybe reply: Kal Han: "Re: Unable to get the RA certificates on IOS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
I am not able to get the RA certificate after the authentication/enrollment
process.
I am just getting the CA certificate. My IKE is failing when I try to use
certificates.
How can I get RA Signature&Encipher Certificate on a router. I dont know
whats wrong, but this used to work before. ( PIX is fine )

Here is my relate config.

crypto ca trustpoint root
 enrollment retry count 20
 enrollment mode ra
 enrollment url
http://filter-test8:80/certsrv/mscep/mscep.dll>
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cciesec address 195.1.113.10
crypto isakmp key cciesec address 0.0.0.0 0.0.0.0
crypto isakmp key cciesec hostname PIX.cisco.com
crypto isakmp identity hostname
!
!
crypto ipsec transform-set ts esp-3des esp-sha-hmac
!
crypto map cm 10 ipsec-isakmp
 set peer 195.1.113.10
 set transform-set ts
 match address 198

****************************************************************

R3(config)#cry ca authenticate root
Certificate has the following attributes:
Fingerprint: 0BD408B3 C66EC15D DA2721EF 9A43EF20
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R3(config)#
R3(config)#
R3(config)#do sh cry ca cert
CA Certificate
  Status: Available
  Certificate Serial Number: 3640DE961861A6A744071A3404C6C173
  Certificate Usage: Signature
  Issuer:
    CN = MS CA Server
     OU = Lab
     O = Exam
     L = San Jose
     ST = CA
     C = US
     EA = root@mymscaserver.com
  Subject:
    CN = MS CA Server
     OU = Lab
     O = Exam
     L = San Jose
     ST = CA
     C = US
     EA = root@mymscaserver.com
  CRL Distribution Point:
    http://filter-test8/CertEnroll/MS%20CA%20Server.crl
  Validity Date:
    start date: 09:55:28 PST Aug 24 2006
    end date: 10:03:16 PST Aug 24 2009
  Associated Trustpoints: root

*After Enrolling*

R3#sh cry ca cert
Certificate
  Status: Available
  Certificate Serial Number: 4321F68900000000002E
  Certificate Usage: General Purpose
  Issuer:
    CN = MS CA Server
     OU = Lab
     O = Exam
     L = San Jose
     ST = CA
     C = US
     EA = root@mymscaserver.com
  Subject:
    Name: R3.cisco.com
    OID.1.2.840.113549.1.9.2 = R3.cisco.com
  CRL Distribution Point:
    http://filter-test8/CertEnroll/MS%20CA%20Server.crl
  Validity Date:
    start date: 13:22:40 PST Nov 15 2006
    end date: 13:32:40 PST Nov 15 2007
    renew date: 16:00:00 PST Dec 31 1969
  Associated Trustpoints: root

CA Certificate
  Status: Available
  Certificate Serial Number: 3640DE961861A6A744071A3404C6C173
  Certificate Usage: Signature
  Issuer:
    CN = MS CA Server
     OU = Lab
     O = Exam
     L = San Jose
     ST = CA
     C = US
     EA = root@mymscaserver.com
  Subject:
    CN = MS CA Server
     OU = Lab
     O = Exam
     L = San Jose
     ST = CA
     C = US
     EA = root@mymscaserver.com
  CRL Distribution Point:
    http://filter-test8/CertEnroll/MS%20CA%20Server.crl
  Validity Date:
    start date: 09:55:28 PST Aug 24 2006
    end date: 10:03:16 PST Aug 24 2009
  Associated Trustpoints: root

*Why is this ?? *
*On my PIX everything is fine.*
*Is there anything different for a router ( other than *
*setting the enrollment mode as ra ) *
**
*Here is my what I see on the PIX.*

PIX(config)# sh ca cert
Certificate
  Status: Available
  Certificate Serial Number: 4302325600000000002d
  Key Usage: General Purpose
  Subject Name:
    CN = PIX.cisco.com
    UNSTRUCTURED NAME = PIX.cisco.com
  Validity Date:
    start date: 12:47:58 PST Nov 15 2006
    end date: 12:57:58 PST Nov 15 2007

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 61053a03000000000004
  Key Usage: Signature
    CN = Cisco SCEP Root
    OU = Lab
    O = Exam
    L = San Jose
    ST = CA
    C = US
    EA = mysceproot@ciscosceproot.com
  Validity Date:
    start date: 10:30:26 PST Aug 24 2006
    end date: 10:40:26 PST Aug 24 2007

CA Certificate
  Status: Available
  Certificate Serial Number: 3640de961861a6a744071a3404c6c173
  Key Usage: Signature
    CN = MS CA Server
    OU = Lab
    O = Exam
    L = San Jose
    ST = CA
    C = US
    EA = root@mymscaserver.com
  Validity Date:
    start date: 09:55:28 PST Aug 24 2006
    end date: 10:03:16 PST Aug 24 2009

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 61053ace000000000005
  Key Usage: Encryption
    CN = Cisco SCEP Root
    OU = Lab
    O = Exam
    L = San Jose
    ST = CA
    C = US
    EA = mysceproot@ciscosceproot.com
  Validity Date:
    start date: 10:30:27 PST Aug 24 2006
    end date: 10:40:27 PST Aug 24 2007

PIX(config)#

Thanks
Kal

• Next message: Nawaz, Ajaz: "RE: Failed yesterday RTP (again)"
• Previous message: ccie sec: "Re: Please confirm (conf#b7332929ef98273eedea3211d21dfde8)"
• Next in thread: Kal Han: "Re: Unable to get the RA certificates on IOS"
• Maybe reply: Kal Han: "Re: Unable to get the RA certificates on IOS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:47 ART