From: Rob Chee (robgroups@cox.net)
Date: Sun Jul 22 2007 - 14:43:17 ART
I'm having the same problem with that extra command entered.
Debug output "debug crypto pki transactions" "debug crypto pki messages"
Jul 21 17:41:19.431: CRYPTO_PKI: Sending CA Certificate Request:
GET
/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
HTTP/1.0
Jul 21 17:41:19.439: CRYPTO_PKI: http connection opened
Jul 21 17:41:19.916: CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 22 Jul 2007 17:41:20 GMT
Content-Length: 3494
Content-Type: application/x-x509-ca-ra-cert
Content-Type indicates we have received CA and RA certificates.
Jul 21 17:41:19.920: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
Jul 21 17:41:20.505: crypto_certc_pkcs7_extract_certs_and_crls failed
(1795):
Jul 21 17:41:20.505: crypto_certc_pkcs7_extract_certs_and_crls failed
Jul 21 17:41:20.517: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
Jul 21 17:41:20.521: CRYPTO_PKI: Unable to read CA/RA certificates.
Jul 21 17:41:20.521: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA
certificates.
Jul 21 17:41:20.521: CRYPTO_PKI: transaction GetCACert completed
R2(config)#
Config
crypto ca trustpoint ca2
enrollment mode ra
enrollment url http://server:80/certsrv/mscep/mscep.dll
crl optional
saheed Balogun wrote:
> Hi Rob,
> You need to include:
> crypto ca trustpoint ca2
> *crl-optional
> *
>
> On 7/22/07, *Rob Chee* <robgroups@cox.net <mailto:robgroups@cox.net>>
> wrote:
>
> I'm having a hard time getting a Win 2000 Server CA running SCEP to
> authenticate to a router running c2600-ik9o3s3-mz.123-22.bin
>
> Here's how I have it setup
> 1. I had a hard time finding SCEP, but I did find it at the following
> link http://www.klake.org/~jt/sscep/w2kca.html
> <http://www.klake.org/%7Ejt/sscep/w2kca.html>
> 2. I made sure time on the CA server and on the router are in the
> same
> timezone and matching
>
> Here's the debug message I get using "debug crypto pki
> transaction" when
> I try to authenticate to the CA using "crypto ca authenticate server"
>
> Error message (debug crypto pki transaction)
>
> 2-2610(config)#crypto ca authenticate ca2
> Error in receiving Certificate Authority certificate: status = FAIL,
> cert length = 0
>
> 2-2610(config)#
> 1:16:18: CRYPTO_PKI: Sending CA Certificate Request:
> ET
> /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
> HTTP/1.0
>
>
> 1:16:18: CRYPTO_PKI: http connection opened
> 1:16:18: CRYPTO_PKI: HTTP response header:
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Date: Fri, 20 Jul 2007 02:10:56 GMT
> Content-Length: 3494
> Content-Type: application/x-x509-ca-ra-cert
>
> Content-Type indicates we have received CA and RA certificates.
>
> 1:16:18: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
>
> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed
> 1:16:19: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>
> 1:16:19: CRYPTO_PKI: Unable to read CA/RA certificates.
> 1:16:19: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA certificates.
> 1:16:19: CRYPTO_PKI: transaction GetCACert completed
>
>
> Here's the relevant parts of my config
>
> clock timezone EDT -5
> clock summer-time EDT recurring last Sun Mar 2:00 last Sun Oct 3:00
> ip domain name ccielab.com <http://ccielab.com>
> ip host server 10.1.1.100 <http://10.1.1.100>
>
> crypto ca trustpoint ca2
> enrollment mode ra
> enrollment url http://server:80/certsrv/mscep/mscep.dll
>
> If you look at the link where I got sscep, you'll see that they are
> talking about using a linux client called sscep as the scep client. I
> ran that client and successfully downloaded the CA certificates, so I
> know that the CA is setup correcty. Here's the output from the
> running
> sscep
> [root@amdsempron sscep]# ./sscep getca -f sscep.conf
> ./sscep: requesting CA certificate
> ./sscep: valid response from server
>
> ./sscep: found certificate with
> subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
> usage: Digital Signature
> SHA1 fingerprint:
> 4B:4B:63:03:28:FD:28:6E:57:B7:6B:5F:24:15:E8:B3:54:BF:33:D1
> ./sscep: certificate written as ./ca.crt-0
>
> ./sscep: found certificate with
> subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
> usage: Key Encipherment
> SHA1 fingerprint:
> CA:DE:EF:07:42:C8:44:26:27:27:67:33:2F:53:1E:3E:FD:9C:2F:BC
> ./sscep: certificate written as ./ca.crt-1
>
> ./sscep: found certificate with
> subject: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
> usage: Non Repudiation, Certificate Sign, CRL Sign
> SHA1 fingerprint:
> 96:8C:0B:7E:08:05:E3:B6:EC:A3:5C:A5:2C:64:EA:A3:C1:C4:45:64
> ./sscep: certificate written as ./ca.crt-2
> [root@amdsempron sscep]#
>
>
> Let me know if you can think of a reason why SCEP isn't working on
> the
> router?
>
>
> Thanks,
>
> Rob
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Saheed Balogun [CCIE (R&S) #16376]
> Network Security Specialist
> Resourcery Limited,
> Nigeria
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART