From: saheed Balogun (saheedb@gmail.com)
Date: Sun Jul 22 2007 - 07:21:35 ART
Hi Rob,
You need to include:
crypto ca trustpoint ca2
*crl-optional
*
On 7/22/07, Rob Chee <robgroups@cox.net> wrote:
>
> I'm having a hard time getting a Win 2000 Server CA running SCEP to
> authenticate to a router running c2600-ik9o3s3-mz.123-22.bin
>
> Here's how I have it setup
> 1. I had a hard time finding SCEP, but I did find it at the following
> link http://www.klake.org/~jt/sscep/w2kca.html
> 2. I made sure time on the CA server and on the router are in the same
> timezone and matching
>
> Here's the debug message I get using "debug crypto pki transaction" when
> I try to authenticate to the CA using "crypto ca authenticate server"
>
> Error message (debug crypto pki transaction)
>
> 2-2610(config)#crypto ca authenticate ca2
> Error in receiving Certificate Authority certificate: status = FAIL,
> cert length = 0
>
> 2-2610(config)#
> 1:16:18: CRYPTO_PKI: Sending CA Certificate Request:
> ET
> /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
> HTTP/1.0
>
>
> 1:16:18: CRYPTO_PKI: http connection opened
> 1:16:18: CRYPTO_PKI: HTTP response header:
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Date: Fri, 20 Jul 2007 02:10:56 GMT
> Content-Length: 3494
> Content-Type: application/x-x509-ca-ra-cert
>
> Content-Type indicates we have received CA and RA certificates.
>
> 1:16:18: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
>
> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed
> 1:16:19: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>
> 1:16:19: CRYPTO_PKI: Unable to read CA/RA certificates.
> 1:16:19: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA certificates.
> 1:16:19: CRYPTO_PKI: transaction GetCACert completed
>
>
> Here's the relevant parts of my config
>
> clock timezone EDT -5
> clock summer-time EDT recurring last Sun Mar 2:00 last Sun Oct 3:00
> ip domain name ccielab.com
> ip host server 10.1.1.100
>
> crypto ca trustpoint ca2
> enrollment mode ra
> enrollment url http://server:80/certsrv/mscep/mscep.dll
>
> If you look at the link where I got sscep, you'll see that they are
> talking about using a linux client called sscep as the scep client. I
> ran that client and successfully downloaded the CA certificates, so I
> know that the CA is setup correcty. Here's the output from the running
> sscep
> [root@amdsempron sscep]# ./sscep getca -f sscep.conf
> ./sscep: requesting CA certificate
> ./sscep: valid response from server
>
> ./sscep: found certificate with
> subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
> usage: Digital Signature
> SHA1 fingerprint:
> 4B:4B:63:03:28:FD:28:6E:57:B7:6B:5F:24:15:E8:B3:54:BF:33:D1
> ./sscep: certificate written as ./ca.crt-0
>
> ./sscep: found certificate with
> subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
> usage: Key Encipherment
> SHA1 fingerprint:
> CA:DE:EF:07:42:C8:44:26:27:27:67:33:2F:53:1E:3E:FD:9C:2F:BC
> ./sscep: certificate written as ./ca.crt-1
>
> ./sscep: found certificate with
> subject: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
> usage: Non Repudiation, Certificate Sign, CRL Sign
> SHA1 fingerprint:
> 96:8C:0B:7E:08:05:E3:B6:EC:A3:5C:A5:2C:64:EA:A3:C1:C4:45:64
> ./sscep: certificate written as ./ca.crt-2
> [root@amdsempron sscep]#
>
>
> Let me know if you can think of a reason why SCEP isn't working on the
> router?
>
>
> Thanks,
>
> Rob
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Saheed Balogun [CCIE (R&S) #16376] Network Security Specialist Resourcery Limited, Nigeria
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART