PIX 515E and Windows 2003 CA authenticate problem

Discussion in 'Cisco' started by Torsten Stier, May 21, 2004.

  1. Hi,

    I have a problem with the CA authentication on our PIX (6.3.3).

    We use a subordinate Enterprise-CA on Windows 2003 Server. The
    mscep.dll is already installed on that server. The Root-CA is an
    Standalone offline-CA.

    Everything is configured like

    pixfirewall(config)#ca generate rsa key 1024
    pixfirewall(config)#ca identity mysubca
    mysubca_ip:/certsrv/mscep/mscep.dll
    pixfirewall(config)#ca configure mysubca ra 1 20 crloptional
    pixfirewall(config)#ca authenticate mysubca

    As far as I know, i normally should see something like the
    ca-fingerprint after the last command?? But i didn't see anything.

    If i try
    pixfirewall(config)#ca enroll mysubca challengepwd
    i get the following error:
    % No CA root cert exists. Use "ca authenticate"


    If i try the CA-mscep-Site with the following link
    http://mysubca/certsrv/mscep/mscep.dll
    i get o correct answer

    If i try this page with the IP-Adress instead of the hostname i will
    get a Prompt for User-Authentification. Is this the problem? Or is the
    Enterprise-SubCA the problem.


    Thanks for every helpful postings.


    Torsten Stier
     
    Torsten Stier, May 21, 2004
    #1
    1. Advertisements

  2. Torsten Stier

    jt Guest

    Hi Torsten,

    Got the same sort of problem w/ different boxes ( 800, 1700, 2600, 3640 )
    connected to a Win 2000 CertSrv box.

    Sometimes it's succesful, after reload the box in question is missing its
    certs whereafter I have to enroll a 2nd time to get it. Nevertheless I
    cannot connect ( see my post "router cert not found" ) afterwards having the
    IOS barking about a untrusted rootCA.

    I have tried openSCEP which is UN*X - based, but the software
    is pretty old and buggy related to the install and stuff.
    Once you have it running, its ok, but won't link with openSSL
    0.9.7......

    Can you think of another SCEP solution except openCA ?


    Daniel
     
    jt, May 23, 2004
    #2
    1. Advertisements

  3. This is the output from the "ca authenticate"-command in debug-mode:
    ###############################################################

    CI thread sleeps!
    Crypto CA thread wakes up!
    firewall(config)# connection opened
    CRYPTO_PKI: WARNING: A certificate chain could not be constructed
    while selecting certificate status

    CRYPTO_PKI: Error: Code 0x0000 while selecting self signed
    certificate

    CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found
    while verifying cert in message by issuer self-signed cert

    CRYPTO_PKI: Error: Invalid modulus length in public or private key
    while

    CRYPTO_PKI: WARNING: Unsupported certificate or CRL signature
    algorithm while verifying self-signed cert signature

    CRYPTO_PKI: WARNING: A certificate chain could not be constructed
    while selecting certificate status

    CRYPTO_PKI: Error: Code 0x0000 while selecting self signed
    certificate

    CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found
    while verifying cert in message by issuer self-signed cert

    CRYPTO_PKI: WARNING: A certificate chain could not be constructed
    while selecting certificate status

    CRYPTO_PKI: Error: Code 0x0000 while selecting self signed
    certificate

    CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found
    while verifying cert in message by issuer self-signed cert

    CRYPTO_PKI: WARNING: A certificate chain could not be constructed
    while selecting certificate status

    CRYPTO_PKI: Error: Code 0x0000 while selecting self signed
    certificate

    CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found
    while verifying cert in message by issuer self-signed cert

    CRYPTO_PKI: status = 324: failed to verify
    CRYPTO_PKI: transaction GetCACert completed
    Crypto CA thread sleeps!
     
    Torsten Stier, May 24, 2004
    #3
  4. Torsten Stier

    jt Guest

    CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found
    Sometimes normal behavior.
    Check if key length in CA cert is ** 512 ** !!!!
    And check that HashAlg = rsaSHA, CSP must be Base 1.0

    I suggest you reinstall your CA, making sure the following:

    Key length is 512 on either side ( box and CA )
    enrollment mode is RA

    Further hints here:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;249125&fr=1




    Greets

    Daniel
     
    jt, May 26, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.