From: Rob Chee (robgroups@cox.net)
Date: Sat Jul 21 2007 - 21:08:21 ART
I'm having a hard time getting a Win 2000 Server CA running SCEP to
authenticate to a router running c2600-ik9o3s3-mz.123-22.bin
Here's how I have it setup
1. I had a hard time finding SCEP, but I did find it at the following
link http://www.klake.org/~jt/sscep/w2kca.html
2. I made sure time on the CA server and on the router are in the same
timezone and matching
Here's the debug message I get using "debug crypto pki transaction" when
I try to authenticate to the CA using "crypto ca authenticate server"
Error message (debug crypto pki transaction)
2-2610(config)#crypto ca authenticate ca2
Error in receiving Certificate Authority certificate: status = FAIL,
cert length = 0
2-2610(config)#
1:16:18: CRYPTO_PKI: Sending CA Certificate Request:
ET
/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
HTTP/1.0
1:16:18: CRYPTO_PKI: http connection opened
1:16:18: CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 20 Jul 2007 02:10:56 GMT
Content-Length: 3494
Content-Type: application/x-x509-ca-ra-cert
Content-Type indicates we have received CA and RA certificates.
1:16:18: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed
1:16:19: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
1:16:19: CRYPTO_PKI: Unable to read CA/RA certificates.
1:16:19: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA certificates.
1:16:19: CRYPTO_PKI: transaction GetCACert completed
Here's the relevant parts of my config
clock timezone EDT -5
clock summer-time EDT recurring last Sun Mar 2:00 last Sun Oct 3:00
ip domain name ccielab.com
ip host server 10.1.1.100
crypto ca trustpoint ca2
enrollment mode ra
enrollment url http://server:80/certsrv/mscep/mscep.dll
If you look at the link where I got sscep, you'll see that they are
talking about using a linux client called sscep as the scep client. I
ran that client and successfully downloaded the CA certificates, so I
know that the CA is setup correcty. Here's the output from the running
sscep
[root@amdsempron sscep]# ./sscep getca -f sscep.conf
./sscep: requesting CA certificate
./sscep: valid response from server
./sscep: found certificate with
subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
usage: Digital Signature
SHA1 fingerprint:
4B:4B:63:03:28:FD:28:6E:57:B7:6B:5F:24:15:E8:B3:54:BF:33:D1
./sscep: certificate written as ./ca.crt-0
./sscep: found certificate with
subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
usage: Key Encipherment
SHA1 fingerprint:
CA:DE:EF:07:42:C8:44:26:27:27:67:33:2F:53:1E:3E:FD:9C:2F:BC
./sscep: certificate written as ./ca.crt-1
./sscep: found certificate with
subject: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
usage: Non Repudiation, Certificate Sign, CRL Sign
SHA1 fingerprint:
96:8C:0B:7E:08:05:E3:B6:EC:A3:5C:A5:2C:64:EA:A3:C1:C4:45:64
./sscep: certificate written as ./ca.crt-2
[root@amdsempron sscep]#
Let me know if you can think of a reason why SCEP isn't working on the
router?
Thanks,
Rob
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART