Re: SCEP CA problem

From: Rob Chee (robgroups@cox.net)
Date: Mon Jul 23 2007 - 21:24:43 ART

• Next message: Eric Dobyns: "Bridging"
• Previous message: Serhat Aslan: "Re: Police CIR and police rate."
• Maybe in reply to: Rob Chee: "SCEP CA problem"
• Next in thread: Paul Dardinski: "RE: SCEP CA problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yep, I got SCEP and loaded it. In fact I can download the CA
certificate using a Unix version of the SCEP client. I just can't get
it with a router.

The only place I found SCEP was on the following
website....http://www.klake.org/~jt/sscep/w2kca.html. Let me know if
you know of a different version that I can run.

I have access to the Cisco PEC eLearning labs and I've actually done a
lab where it has worked, so I'm pretty sure I have everything setup
right. It's just bugging me that it's not working in my home lab....

Sasa Milic wrote:
>
> Rob,
>
> you have installed SCEP on CA server, right? It is additional
> application, not included with MS CA server. When you open page
> http://server:80/certsrv/mscep/mscep.dll from your workstation, do you
> see scep page?
>
> Regards,
> Sasa
>
> ----------------------------------
> Sasa Milic, CCIE #8635 (R&S), CCSP
> http://www.linkedin.com/in/smilic
>
> ----- Original Message ----- From: "Rob Chee" <robgroups@cox.net>
> To: "saheed Balogun" <saheedb@gmail.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Sunday, July 22, 2007 7:43 PM
> Subject: Re: SCEP CA problem
>
>
>> I'm having the same problem with that extra command entered.
>>
>>
>> Debug output "debug crypto pki transactions" "debug crypto pki
>> messages"
>> Jul 21 17:41:19.431: CRYPTO_PKI: Sending CA Certificate Request:
>> GET
>> /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
>> HTTP/1.0
>>
>>
>> Jul 21 17:41:19.439: CRYPTO_PKI: http connection opened
>> Jul 21 17:41:19.916: CRYPTO_PKI: HTTP response header:
>> HTTP/1.1 200 OK
>> Server: Microsoft-IIS/5.0
>> Date: Sun, 22 Jul 2007 17:41:20 GMT
>> Content-Length: 3494
>> Content-Type: application/x-x509-ca-ra-cert
>>
>> Content-Type indicates we have received CA and RA certificates.
>>
>> Jul 21 17:41:19.920:
>> CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
>>
>> Jul 21 17:41:20.505: crypto_certc_pkcs7_extract_certs_and_crls failed
>> (1795):
>> Jul 21 17:41:20.505: crypto_certc_pkcs7_extract_certs_and_crls failed
>> Jul 21 17:41:20.517: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned
>> 1795
>>
>> Jul 21 17:41:20.521: CRYPTO_PKI: Unable to read CA/RA certificates.
>> Jul 21 17:41:20.521: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA
>> certificates.
>> Jul 21 17:41:20.521: CRYPTO_PKI: transaction GetCACert completed
>> R2(config)#
>>
>> Config
>> crypto ca trustpoint ca2
>> enrollment mode ra
>> enrollment url http://server:80/certsrv/mscep/mscep.dll
>> crl optional
>>
>> saheed Balogun wrote:
>>> Hi Rob,
>>> You need to include:
>>> crypto ca trustpoint ca2
>>> *crl-optional
>>> *
>>> On 7/22/07, *Rob Chee* <robgroups@cox.net
>>> <mailto:robgroups@cox.net>> wrote:
>>>
>>> I'm having a hard time getting a Win 2000 Server CA running SCEP to
>>> authenticate to a router running c2600-ik9o3s3-mz.123-22.bin
>>>
>>> Here's how I have it setup
>>> 1. I had a hard time finding SCEP, but I did find it at the
>>> following
>>> link http://www.klake.org/~jt/sscep/w2kca.html
>>> <http://www.klake.org/%7Ejt/sscep/w2kca.html>
>>> 2. I made sure time on the CA server and on the router are in the
>>> same
>>> timezone and matching
>>>
>>> Here's the debug message I get using "debug crypto pki
>>> transaction" when
>>> I try to authenticate to the CA using "crypto ca authenticate
>>> server"
>>>
>>> Error message (debug crypto pki transaction)
>>>
>>> 2-2610(config)#crypto ca authenticate ca2
>>> Error in receiving Certificate Authority certificate: status =
>>> FAIL,
>>> cert length = 0
>>>
>>> 2-2610(config)#
>>> 1:16:18: CRYPTO_PKI: Sending CA Certificate Request:
>>> ET
>>>
>>> /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
>>> HTTP/1.0
>>>
>>>
>>> 1:16:18: CRYPTO_PKI: http connection opened
>>> 1:16:18: CRYPTO_PKI: HTTP response header:
>>> HTTP/1.1 200 OK
>>> Server: Microsoft-IIS/5.0
>>> Date: Fri, 20 Jul 2007 02:10:56 GMT
>>> Content-Length: 3494
>>> Content-Type: application/x-x509-ca-ra-cert
>>>
>>> Content-Type indicates we have received CA and RA certificates.
>>>
>>> 1:16:18: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
>>>
>>> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
>>> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed
>>> 1:16:19: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>>>
>>> 1:16:19: CRYPTO_PKI: Unable to read CA/RA certificates.
>>> 1:16:19: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA
>>> certificates.
>>> 1:16:19: CRYPTO_PKI: transaction GetCACert completed
>>>
>>>
>>> Here's the relevant parts of my config
>>>
>>> clock timezone EDT -5
>>> clock summer-time EDT recurring last Sun Mar 2:00 last Sun Oct 3:00
>>> ip domain name ccielab.com <http://ccielab.com>
>>> ip host server 10.1.1.100 <http://10.1.1.100>
>>>
>>> crypto ca trustpoint ca2
>>> enrollment mode ra
>>> enrollment url http://server:80/certsrv/mscep/mscep.dll
>>>
>>> If you look at the link where I got sscep, you'll see that they are
>>> talking about using a linux client called sscep as the scep
>>> client. I
>>> ran that client and successfully downloaded the CA certificates,
>>> so I
>>> know that the CA is setup correcty. Here's the output from the
>>> running
>>> sscep
>>> [root@amdsempron sscep]# ./sscep getca -f sscep.conf
>>> ./sscep: requesting CA certificate
>>> ./sscep: valid response from server
>>>
>>> ./sscep: found certificate with
>>> subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
>>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>>> usage: Digital Signature
>>> SHA1 fingerprint:
>>> 4B:4B:63:03:28:FD:28:6E:57:B7:6B:5F:24:15:E8:B3:54:BF:33:D1
>>> ./sscep: certificate written as ./ca.crt-0
>>>
>>> ./sscep: found certificate with
>>> subject: /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
>>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>>> usage: Key Encipherment
>>> SHA1 fingerprint:
>>> CA:DE:EF:07:42:C8:44:26:27:27:67:33:2F:53:1E:3E:FD:9C:2F:BC
>>> ./sscep: certificate written as ./ca.crt-1
>>>
>>> ./sscep: found certificate with
>>> subject: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>>> usage: Non Repudiation, Certificate Sign, CRL Sign
>>> SHA1 fingerprint:
>>> 96:8C:0B:7E:08:05:E3:B6:EC:A3:5C:A5:2C:64:EA:A3:C1:C4:45:64
>>> ./sscep: certificate written as ./ca.crt-2
>>> [root@amdsempron sscep]#
>>>
>>>
>>> Let me know if you can think of a reason why SCEP isn't working on
>>> the
>>> router?
>>>
>>>
>>> Thanks,
>>>
>>> Rob
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>> --
>>> Saheed Balogun [CCIE (R&S) #16376]
>>> Network Security Specialist
>>> Resourcery Limited,
>>> Nigeria
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

• Next message: Eric Dobyns: "Bridging"
• Previous message: Serhat Aslan: "Re: Police CIR and police rate."
• Maybe in reply to: Rob Chee: "SCEP CA problem"
• Next in thread: Paul Dardinski: "RE: SCEP CA problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART