From: Rob Chee (robgroups@cox.net)
Date: Thu Jul 26 2007 - 00:44:11 ART
I believe the one I downloaded was the Microsoft version.....I used that
one because I couldn't find one on the Microsoft webpage for Win 2000.
I could only find one that supported Win 2003. Let me know if you can
find a link for the Win 2000 version of SCEP and I'll try that out.
Thanks,
Rob
Paul Dardinski wrote:
> If you can I'd run Mshaft's SCEP add-on if possible vs 3rd party. Need
> 2kServer or 2003server, but straightforward and absolutely works.
>
> PD (#16842)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Rob Chee
> Sent: Monday, July 23, 2007 8:25 PM
> To: Sasa Milic
> Cc: saheed Balogun; ccielab@groupstudy.com
> Subject: Re: SCEP CA problem
>
> Yep, I got SCEP and loaded it. In fact I can download the CA
> certificate using a Unix version of the SCEP client. I just can't get
> it with a router.
>
> The only place I found SCEP was on the following
> website....http://www.klake.org/~jt/sscep/w2kca.html. Let me know if
> you know of a different version that I can run.
>
> I have access to the Cisco PEC eLearning labs and I've actually done a
> lab where it has worked, so I'm pretty sure I have everything setup
> right. It's just bugging me that it's not working in my home lab....
>
>
> Sasa Milic wrote:
>
>> Rob,
>>
>> you have installed SCEP on CA server, right? It is additional
>> application, not included with MS CA server. When you open page
>> http://server:80/certsrv/mscep/mscep.dll from your workstation, do you
>>
>
>
>> see scep page?
>>
>> Regards,
>> Sasa
>>
>> ----------------------------------
>> Sasa Milic, CCIE #8635 (R&S), CCSP
>> http://www.linkedin.com/in/smilic
>>
>> ----- Original Message ----- From: "Rob Chee" <robgroups@cox.net>
>> To: "saheed Balogun" <saheedb@gmail.com>
>> Cc: <ccielab@groupstudy.com>
>> Sent: Sunday, July 22, 2007 7:43 PM
>> Subject: Re: SCEP CA problem
>>
>>
>>
>>> I'm having the same problem with that extra command entered.
>>>
>>>
>>> Debug output "debug crypto pki transactions" "debug crypto pki
>>> messages"
>>> Jul 21 17:41:19.431: CRYPTO_PKI: Sending CA Certificate Request:
>>> GET
>>>
>>>
> /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
>
>>> HTTP/1.0
>>>
>>>
>>> Jul 21 17:41:19.439: CRYPTO_PKI: http connection opened
>>> Jul 21 17:41:19.916: CRYPTO_PKI: HTTP response header:
>>> HTTP/1.1 200 OK
>>> Server: Microsoft-IIS/5.0
>>> Date: Sun, 22 Jul 2007 17:41:20 GMT
>>> Content-Length: 3494
>>> Content-Type: application/x-x509-ca-ra-cert
>>>
>>> Content-Type indicates we have received CA and RA certificates.
>>>
>>> Jul 21 17:41:19.920:
>>> CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
>>>
>>> Jul 21 17:41:20.505: crypto_certc_pkcs7_extract_certs_and_crls failed
>>>
>
>
>>> (1795):
>>> Jul 21 17:41:20.505: crypto_certc_pkcs7_extract_certs_and_crls failed
>>> Jul 21 17:41:20.517: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned
>>>
>
>
>>> 1795
>>>
>>> Jul 21 17:41:20.521: CRYPTO_PKI: Unable to read CA/RA certificates.
>>> Jul 21 17:41:20.521: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA
>>> certificates.
>>> Jul 21 17:41:20.521: CRYPTO_PKI: transaction GetCACert completed
>>> R2(config)#
>>>
>>> Config
>>> crypto ca trustpoint ca2
>>> enrollment mode ra
>>> enrollment url http://server:80/certsrv/mscep/mscep.dll
>>> crl optional
>>>
>>> saheed Balogun wrote:
>>>
>>>> Hi Rob,
>>>> You need to include:
>>>> crypto ca trustpoint ca2
>>>> *crl-optional
>>>> *
>>>> On 7/22/07, *Rob Chee* <robgroups@cox.net
>>>> <mailto:robgroups@cox.net>> wrote:
>>>>
>>>> I'm having a hard time getting a Win 2000 Server CA running SCEP
>>>>
> to
>
>>>> authenticate to a router running c2600-ik9o3s3-mz.123-22.bin
>>>>
>>>> Here's how I have it setup
>>>> 1. I had a hard time finding SCEP, but I did find it at the
>>>> following
>>>> link http://www.klake.org/~jt/sscep/w2kca.html
>>>> <http://www.klake.org/%7Ejt/sscep/w2kca.html>
>>>> 2. I made sure time on the CA server and on the router are in
>>>>
> the
>
>>>> same
>>>> timezone and matching
>>>>
>>>> Here's the debug message I get using "debug crypto pki
>>>> transaction" when
>>>> I try to authenticate to the CA using "crypto ca authenticate
>>>> server"
>>>>
>>>> Error message (debug crypto pki transaction)
>>>>
>>>> 2-2610(config)#crypto ca authenticate ca2
>>>> Error in receiving Certificate Authority certificate: status =
>>>> FAIL,
>>>> cert length = 0
>>>>
>>>> 2-2610(config)#
>>>> 1:16:18: CRYPTO_PKI: Sending CA Certificate Request:
>>>> ET
>>>>
>>>>
>>>>
> /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ca2
>
>>>> HTTP/1.0
>>>>
>>>>
>>>> 1:16:18: CRYPTO_PKI: http connection opened
>>>> 1:16:18: CRYPTO_PKI: HTTP response header:
>>>> HTTP/1.1 200 OK
>>>> Server: Microsoft-IIS/5.0
>>>> Date: Fri, 20 Jul 2007 02:10:56 GMT
>>>> Content-Length: 3494
>>>> Content-Type: application/x-x509-ca-ra-cert
>>>>
>>>> Content-Type indicates we have received CA and RA certificates.
>>>>
>>>> 1:16:18: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=ca2)
>>>>
>>>> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed
>>>>
> (1795):
>
>>>> 1:16:19: crypto_certc_pkcs7_extract_certs_and_crls failed
>>>> 1:16:19: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>>>>
>>>> 1:16:19: CRYPTO_PKI: Unable to read CA/RA certificates.
>>>> 1:16:19: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA
>>>> certificates.
>>>> 1:16:19: CRYPTO_PKI: transaction GetCACert completed
>>>>
>>>>
>>>> Here's the relevant parts of my config
>>>>
>>>> clock timezone EDT -5
>>>> clock summer-time EDT recurring last Sun Mar 2:00 last Sun Oct
>>>>
> 3:00
>
>>>> ip domain name ccielab.com <http://ccielab.com>
>>>> ip host server 10.1.1.100 <http://10.1.1.100>
>>>>
>>>> crypto ca trustpoint ca2
>>>> enrollment mode ra
>>>> enrollment url http://server:80/certsrv/mscep/mscep.dll
>>>>
>>>> If you look at the link where I got sscep, you'll see that they
>>>>
> are
>
>>>> talking about using a linux client called sscep as the scep
>>>> client. I
>>>> ran that client and successfully downloaded the CA certificates,
>>>>
>
>
>>>> so I
>>>> know that the CA is setup correcty. Here's the output from the
>>>> running
>>>> sscep
>>>> [root@amdsempron sscep]# ./sscep getca -f sscep.conf
>>>> ./sscep: requesting CA certificate
>>>> ./sscep: valid response from server
>>>>
>>>> ./sscep: found certificate with
>>>> subject:
>>>>
> /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
>
>>>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>>>> usage: Digital Signature
>>>> SHA1 fingerprint:
>>>> 4B:4B:63:03:28:FD:28:6E:57:B7:6B:5F:24:15:E8:B3:54:BF:33:D1
>>>> ./sscep: certificate written as ./ca.crt-0
>>>>
>>>> ./sscep: found certificate with
>>>> subject:
>>>>
> /emailAddress=server/C=US/O=ccielab/OU=ccielab/CN=server
>
>>>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>>>> usage: Key Encipherment
>>>> SHA1 fingerprint:
>>>> CA:DE:EF:07:42:C8:44:26:27:27:67:33:2F:53:1E:3E:FD:9C:2F:BC
>>>> ./sscep: certificate written as ./ca.crt-1
>>>>
>>>> ./sscep: found certificate with
>>>> subject: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>>>> issuer: /C=US/ST=va/L=ccielab/O=ccielab/OU=ccielab/CN=server
>>>> usage: Non Repudiation, Certificate Sign, CRL Sign
>>>> SHA1 fingerprint:
>>>> 96:8C:0B:7E:08:05:E3:B6:EC:A3:5C:A5:2C:64:EA:A3:C1:C4:45:64
>>>> ./sscep: certificate written as ./ca.crt-2
>>>> [root@amdsempron sscep]#
>>>>
>>>>
>>>> Let me know if you can think of a reason why SCEP isn't working
>>>>
> on
>
>>>> the
>>>> router?
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Rob
>>>>
>>>>
>>>>
>>>>
> _______________________________________________________________________
>
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Saheed Balogun [CCIE (R&S) #16376]
>>>> Network Security Specialist
>>>> Resourcery Limited,
>>>> Nigeria
>>>>
>>>
> _______________________________________________________________________
>
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:42 ART