1. Home
  2. Cisco Systems
  3. PIX 515E and certificates

PIX 515E and certificates

Hi to everyone!

I'm trying to configure certificate use for my PIX (515E with PIX 6.3). I have installed CA on MS Windows 2003 Server (domain controller) as enterprise stand-alone CA, and also I have installed Microsoft SCEP adds-on. But when configuring PIX, I stop on instruction:

ca authenticate my_CA_nick_name

which returns:

msgsym(GETCARACERT, CRYPTO)! %Error in connection to Certificate Authority: status = FAIL

CA identity is configured as follow:

ca identity jowisz 172.16.0.10:/certsrv/mscep/mscep.dll

I'm suspecting that problem is due password requirements by SCEP service (When I enter manually address 172.16.0.10:/certsrv/mscep/mscep.dll into my browser, I'm prompted for password). I have read in Resource Kit Help, that I can disable this password requirements by setting HK_LM\Software\Microsoft\Cryptography\MSCEP\AllowAll to 1, but it didn't work!

Any idea what is wrong?

P.S. After turning on "debug crypto ca" command "ca authenticate jowisz" produces following output:

pix(config)# ca auth jowisz

CI thread sleeps!

Crypto CA thread wakes up!

CRYPTO_PKI: http connection opened

msgsym(GETCARACERT, CRYPTO)!

%Error in connection to Certificate Authority: status = FAIL

CRYPTO_PKI: Error: Invalid modulus length in public or private key while

CRYPTO_PKI: WARNING: Unsupported certificate or CRL signature algorithm while ve

rifying self-signed cert signature

pix(

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin

g certificate status

CRYPTO_PKI: Error: Code 0x0000 while selecting self signed certificate

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifyi

ng cert in message by issuer self-signed cert

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin

g certificate status

CRYPTO_PKI: Error: Code 0x0000 while selecting self signed certificate

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifyi

ng cert in message by issuer self-signed cert

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin

g certificate status

CRYPTO_PKI: Error: Code 0x0000 while selecting self signed certificate

CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifyi

ng cert in message by issuer self-signed cert

CRYPTO_PKI: status = 324: failed to verify

CRYPTO_PKI: transaction GetCACert completed

Crypto CA thread sleeps!

CI thread wakes up!config)#

pix(config)#

Thanks in advance for any sugestions:

Krzysztof.

Reply to
Krzysztof
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.