Hi to everyone!
I'm trying to configure certificate use for my PIX (515E with PIX 6.3). I have installed CA on MS Windows 2003 Server (domain controller) as enterprise stand-alone CA, and also I have installed Microsoft SCEP adds-on. But when configuring PIX, I stop on instruction:
ca authenticate my_CA_nick_name
which returns:
msgsym(GETCARACERT, CRYPTO)! %Error in connection to Certificate Authority: status = FAIL
CA identity is configured as follow:
ca identity jowisz 172.16.0.10:/certsrv/mscep/mscep.dll
I'm suspecting that problem is due password requirements by SCEP service (When I enter manually address 172.16.0.10:/certsrv/mscep/mscep.dll into my browser, I'm prompted for password). I have read in Resource Kit Help, that I can disable this password requirements by setting HK_LM\Software\Microsoft\Cryptography\MSCEP\AllowAll to 1, but it didn't work!
Any idea what is wrong?
P.S. After turning on "debug crypto ca" command "ca authenticate jowisz" produces following output:
pix(config)# ca auth jowisz
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
msgsym(GETCARACERT, CRYPTO)!
%Error in connection to Certificate Authority: status = FAIL
CRYPTO_PKI: Error: Invalid modulus length in public or private key while
CRYPTO_PKI: WARNING: Unsupported certificate or CRL signature algorithm while ve
rifying self-signed cert signature
pix(
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status
CRYPTO_PKI: Error: Code 0x0000 while selecting self signed certificate
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifyi
ng cert in message by issuer self-signed cert
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status
CRYPTO_PKI: Error: Code 0x0000 while selecting self signed certificate
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifyi
ng cert in message by issuer self-signed cert
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status
CRYPTO_PKI: Error: Code 0x0000 while selecting self signed certificate
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifyi
ng cert in message by issuer self-signed cert
CRYPTO_PKI: status = 324: failed to verify
CRYPTO_PKI: transaction GetCACert completed
Crypto CA thread sleeps!
CI thread wakes up!config)#
pix(config)#
Thanks in advance for any sugestions:
Krzysztof.