VPN with Microsoft Sub-CA

Discussion in 'Cisco' started by Peter Juentgen, Oct 29, 2003.

  1. Hi,

    we're trying to get a certificate for a Cisco Router (IOS12.2)
    from a Microsoft Windows Server 2003 CA. The CA is a Sub-CA
    authorized by a Root-CA. The SCEP-Addon on the Sub-CA is installed.

    After trying to authenticate the Sub-CA the following error appears:
    % Error in receiving Certificate Authority certificate: status = FAIL,
    cert length = 0

    Debugging shows:
    Oct 29 07:53:49.458: CRYPTO_PKI: Sending CA Certificate Request:
    GET /CertSrv/MSCEP/MSCEP.dll/pkiclient.exe?operation=GetCACert&message=subCA
    HTTP/1.0


    Oct 29 07:53:49.462: CRYPTO_PKI: can not resolve server name/IP address
    Oct 29 07:53:49.462: CRYPTO_PKI: Using unresolved IP Address XX.XX.XX.XX
    Oct 29 07:53:49.466: CRYPTO_PKI: http connection opened
    Oct 29 07:53:49.502: CRYPTO_PKI: HTTP response header:
    HTTP/1.1 200 OK
    Connection: close
    Date: Wed, 29 Oct 2003 07:53:50 GMT
    Server: Microsoft-IIS/6.0
    Content-Length: 5141
    Content-Type: application/x-x509-ca-ra-cert

    Content-Type indicates we have received CA and RA certificates.

    Oct 29 07:53:49.502: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=SubCA)

    Oct 29 07:53:49.518: CRYPTO_PKI: crypto_pki_select_cert_by_subject()
    Oct 29 07:53:49.522: CRYPTO_PKI: WARNING: A certificate chain could not
    be constructed while selecting certificate status

    Oct 29 07:53:49.522: CRYPTO_PKI: crypto_pki_select_cert_by_subject()
    Oct 29 07:53:49.522: CRYPTO_PKI: WARNING: Certificate, private key or
    CRL was not found while verifying cert in message by issuer self-signed cert

    Oct 29 07:53:49.526: CRYPTO_PKI: WARNING: Unsupported certificate or CRL
    signature algorithm while verifying self-signed cert signature

    Oct 29 07:53:49.526: CRYPTO_PKI: crypto_pki_select_cert_by_subject()
    Oct 29 07:53:49.530: CRYPTO_PKI: WARNING: A certificate chain could not
    be constructed while selecting certificate status

    Oct 29 07:53:49.530: CRYPTO_PKI: crypto_pki_select_cert_by_subject()
    Oct 29 07:53:49.530: CRYPTO_PKI: WARNING: Certificate, private key or
    CRL was not found while verifying cert in message by issuer self-signed cert

    Oct 29 07:53:49.534: CRYPTO_PKI: crypto_pki_select_cert_by_subject()
    Oct 29 07:53:49.534: CRYPTO_PKI: WARNING: A certificate chain could not
    be constructed while selecting certificate status

    Oct 29 07:53:49.538: CRYPTO_PKI: crypto_pki_select_cert_by_subject()
    Oct 29 07:53:49.538: CRYPTO_PKI: WARNING: Certificate, private key or
    CRL was not found while verifying cert in message by issuer self-signed cert

    Oct 29 07:53:49.538: CRYPTO_PKI: crypto_pki_select_cert_by_subject()
    Oct 29 07:53:49.542: CRYPTO_PKI: WARNING: A certificate chain could not
    be constructed while selecting certificate status

    Oct 29 07:53:49.542: CRYPTO_PKI: crypto_pki_select_cert_by_subject()
    Oct 29 07:53:49.542: CRYPTO_PKI: WARNING: Certificate, private key or
    CRL was not found while verifying cert in message by issuer self-signed cert

    Oct 29 07:53:49.546: CRYPTO_PKI: status = 324: failed to verify
    Oct 29 07:53:49.546: CRYPTO_PKI: Unable to read CA/RA certificates.
    Oct 29 07:53:49.546: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA
    certificates.
    Oct 29 07:53:49.550: CRYPTO_PKI: transaction GetCACert completed

    Thanks in advance
    Peter
     
    Peter Juentgen, Oct 29, 2003
    #1
    1. Advertisements

  2. Okay. The problem seems to be the 4096 Bit key from our root-CA.
    Does anybody know the supported keylength of cisco routers?

    Thanks in advance
    Peter
     
    Peter Juentgen, Oct 29, 2003
    #2
    1. Advertisements

  3. Peter Juentgen

    troy lebouef Guest

    Don't use sub ca and use a later ios ver on the router.
     
    troy lebouef, Nov 27, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.