Re: SCEP CA problem

From: Sasa Milic (smilic2@pexim.co.yu)
Date: Mon Jul 23 2007 - 09:32:48 ART

• Next message: Eric Dobyns: "RE: 10 days left, kind of believing I will fail."
• Previous message: Prasanna.2.C: "RE: Hi to all - New Entry"
• Maybe in reply to: Rob Chee: "SCEP CA problem"
• Next in thread: Rob Chee: "Re: SCEP CA problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rob,

you have installed SCEP on CA server, right? It is additional application,
not included with MS CA server. When you open page
http://server:80/certsrv/mscep/mscep.dll from your workstation, do you see
scep page?

Regards,
  Sasa

----------------------------------
Sasa Milic, CCIE #8635 (R&S), CCSP
http://www.linkedin.com/in/smilic

----- Original Message -----
From: "Rob Chee" <robgroups@cox.net>
To: "saheed Balogun" <saheedb@gmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Sunday, July 22, 2007 7:43 PM
Subject: Re: SCEP CA problem

> I'm having the same problem with that extra command entered.
>
>
> Debug output "debug crypto pki transactions" "debug crypto pki messages"
> Jul 21 17:41:19.431: CRYPTO_PKI: Sending CA Certificate Request:
> GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
> HTTP/1.0
>
>
> Jul 21 17:41:19.439: CRYPTO_PKI: http connection opened
> Jul 21 17:41:19.916: CRYPTO_PKI: HTTP response header:
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Date: Sun, 22 Jul 2007 17:41:20 GMT
> Content-Length: 3494
> Content-Type: application/x-x509-ca-ra-cert
>
> Content-Type indicates we have received CA and RA certificates.
>
> Jul 21 17:41:19.920: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
>
> Jul 21 17:41:20.505: crypto_certc_pkcs7_extract_certs_and_crls failed
> (1795):
> Jul 21 17:41:20.505: crypto_certc_pkcs7_extract_certs_and_crls failed
> Jul 21 17:41:20.517: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>
> Jul 21 17:41:20.521: CRYPTO_PKI: Unable to read CA/RA certificates.
> Jul 21 17:41:20.521: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA
> certificates.
> Jul 21 17:41:20.521: CRYPTO_PKI: transaction GetCACert completed
> R2(config)#
>
> Config
> crypto ca trustpoint ca2
> enrollment mode ra
> enrollment url http://server:80/certsrv/mscep/mscep.dll
> crl optional
>
> saheed Balogun wrote:
>> Hi Rob,
>> You need to include:
>> crypto ca trustpoint ca2
>> *crl-optional
>> *
>> On 7/22/07, *Rob Chee* <robgroups@cox.net <mailto:robgroups@cox.net>>
>> wrote:
>>
>> I'm having a hard time getting a Win 2000 Server CA running SCEP to
>> authenticate to a router running c2600-ik9o3s3-mz.123-22.bin
>>
>> Here's how I have it setup
>> 1. I had a hard time finding SCEP, but I did find it at the
>> following
>> link http://www.klake.org/~jt/sscep/w2kca.html
>> <http://www.klake.org/%7Ejt/sscep/w2kca.html>
>> 2. I made sure time on the CA server and on the router are in the
>> same
>> timezone and matching
>>
>> Here's the debug message I get using "debug crypto pki
>> transaction" when
>> I try to authenticate to the CA using "crypto ca authenticate server"
>>
>> Error message (debug crypto pki transaction)
>>
>> 2-2610(config)#crypto ca authenticate ca2
>> Error in receiving Certificate Authority certificate: status = FAIL,
>> cert length = 0
>>
>> 2-2610(config)#
>> 1:16:18: CRYPTO_PKI: Sending CA Certificate Request:
>> ET
>>
>> /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
>> HTTP/1.0
>>
>>
>> 1:16:18: CRYPTO_PKI: http connection opened
>> 1:16:18: CRYPTO_PKI: HTTP response header:
>> HTTP/1.1 200 OK
>> Server: Microsoft-IIS/5.0
>> Date: Fri, 20 Jul 2007 02:10:56 GMT
>> Content-Length: 3494
>> Content-Type: application/x-x509-ca-ra-cert
>>
>> Content-Type indicates we have received CA and RA certificates.
>>
>> 1:16:18: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
>>
>> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
>> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed
>> 1:16:19: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>>
>> 1:16:19: CRYPTO_PKI: Unable to read CA/RA certificates.
>> 1:16:19: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA certificates.
>> 1:16:19: CRYPTO_PKI: transaction GetCACert completed
>>
>>
>> Here's the relevant parts of my config
>>
>> clock timezone EDT -5
>> clock summer-time EDT recurring last Sun Mar 2:00 last Sun Oct 3:00
>> ip domain name ccielab.com <http://ccielab.com>
>> ip host server 10.1.1.100 <http://10.1.1.100>
>>
>> crypto ca trustpoint ca2
>> enrollment mode ra
>> enrollment url http://server:80/certsrv/mscep/mscep.dll
>>
>> If you look at the link where I got sscep, you'll see that they are
>> talking about using a linux client called sscep as the scep client.
>> I
>> ran that client and successfully downloaded the CA certificates, so I
>> know that the CA is setup correcty. Here's the output from the
>> running
>> sscep
>> [root@amdsempron sscep]# ./sscep getca -f sscep.conf
>> ./sscep: requesting CA certificate
>> ./sscep: valid response from server
>>
>> ./sscep: found certificate with
>> subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>> usage: Digital Signature
>> SHA1 fingerprint:
>> 4B:4B:63:03:28:FD:28:6E:57:B7:6B:5F:24:15:E8:B3:54:BF:33:D1
>> ./sscep: certificate written as ./ca.crt-0
>>
>> ./sscep: found certificate with
>> subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>> usage: Key Encipherment
>> SHA1 fingerprint:
>> CA:DE:EF:07:42:C8:44:26:27:27:67:33:2F:53:1E:3E:FD:9C:2F:BC
>> ./sscep: certificate written as ./ca.crt-1
>>
>> ./sscep: found certificate with
>> subject: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>> usage: Non Repudiation, Certificate Sign, CRL Sign
>> SHA1 fingerprint:
>> 96:8C:0B:7E:08:05:E3:B6:EC:A3:5C:A5:2C:64:EA:A3:C1:C4:45:64
>> ./sscep: certificate written as ./ca.crt-2
>> [root@amdsempron sscep]#
>>
>>
>> Let me know if you can think of a reason why SCEP isn't working on
>> the
>> router?
>>
>>
>> Thanks,
>>
>> Rob
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>> --
>> Saheed Balogun [CCIE (R&S) #16376]
>> Network Security Specialist
>> Resourcery Limited,
>> Nigeria
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Eric Dobyns: "RE: 10 days left, kind of believing I will fail."
• Previous message: Prasanna.2.C: "RE: Hi to all - New Entry"
• Maybe in reply to: Rob Chee: "SCEP CA problem"
• Next in thread: Rob Chee: "Re: SCEP CA problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART