https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197105#M613814 <P>Hi All,</P><P></P><P>I have two problems with my PIX 501:</P><P></P><P>1. Enrolling works well. The pix has a certificate and uses it with VPN/SSL connections. But after a reload, the pix certificate is lost and it has regenerated a self signed certificate again!</P><P>Yes, I did write mem and ca save all!</P><P></P><P>2. On a ca crl request &lt;name&gt;, I get the following debug:</P><P></P><P>Crypto CA thread wakes up!</P><P>CRYPTO_PKI: Can not get name ava count</P><P>CRYPTO_PKI: transaction GetCRL completed</P><P>Crypto CA thread sleeps!</P><P>CI thread wakes up!</P><P></P><P>And the CRL is empty.</P><P></P><P>Does somebody has an idea?</P><P></P><P>Bert Koelewijn</P> Fri, 21 Feb 2020 06:49:17 GMT BertK88 2020-02-21T06:49:17Z https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197105#M613814 <P>Hi All,</P><P></P><P>I have two problems with my PIX 501:</P><P></P><P>1. Enrolling works well. The pix has a certificate and uses it with VPN/SSL connections. But after a reload, the pix certificate is lost and it has regenerated a self signed certificate again!</P><P>Yes, I did write mem and ca save all!</P><P></P><P>2. On a ca crl request &lt;name&gt;, I get the following debug:</P><P></P><P>Crypto CA thread wakes up!</P><P>CRYPTO_PKI: Can not get name ava count</P><P>CRYPTO_PKI: transaction GetCRL completed</P><P>Crypto CA thread sleeps!</P><P>CI thread wakes up!</P><P></P><P>And the CRL is empty.</P><P></P><P>Does somebody has an idea?</P><P></P><P>Bert Koelewijn</P> Fri, 21 Feb 2020 06:49:17 GMT https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197105#M613814 BertK88 2020-02-21T06:49:17Z https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197106#M613815 <HTML><HEAD></HEAD><BODY><P>Not sure about 1, but 2 is usually caused by the CDP (CRL Distribution Point, basically the location of where the PIX can download the CRL from) listed in the CA cert is in a format the PIX doesn't understand, usually an LDAP URL.</P><P></P><P>Check the following please:</P><P></P><P>Open the CA admin tool (Certification Authority) then</P><P>1) right click on the CA name and choose "Properties"</P><P>2) select the tab "Policy Module"</P><P>3) hit the button "Configure"</P><P>4) select the tab "X.509 extensions"</P><P>&gt;From there, he can view the list of "CRL Distribution Points". </P><P>Deactivate all that is not HTTP.</P><P></P><P>You'll need to reinstall the certs into the PIX I believe, but then it should be able to download the CRL via HTTP instead of LDAP.</P><P></P></BODY></HTML> Fri, 27 Jun 2003 02:54:12 GMT https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197106#M613815 gfullage 2003-06-27T02:54:12Z https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197107#M613816 <HTML><HEAD></HEAD><BODY><P>&gt; in a format the PIX doesn't understand</P><P>I eliminated the space in the name of my ca certificate, to make the URL cleaner, without the '%20': abc%20def.crl -&gt; abcdef.crl. That solved problem 1!! </P><P></P><P>I still have no clue about problem 2, even with nice URL's and only HTTP (as you mentioned), it gives the same debug. </P><P></P><P>Thanks for your previous hint! It led me to the solution of problem 1. Does somebody have an idea about problem 2?</P><P></P><P>Bert Koelewijn</P></BODY></HTML> Fri, 27 Jun 2003 08:51:18 GMT https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197107#M613816 BertK88 2003-06-27T08:51:18Z https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197108#M613817 <HTML><HEAD></HEAD><BODY><P>Solved problem 2!</P><P></P><P>Not only by leaving the LDAP address off the certificate, but by leaving off the LDAP ipaddress in the 'ca identity' rule too.</P><P></P><P>Is Cisco aware of this issue? Will they make things more easy in next releases of the PIX OS?</P><P></P><P>Thanks!</P><P></P><P>Bert Koelewijn</P></BODY></HTML> Fri, 27 Jun 2003 09:30:33 GMT https://community.cisco.com/t5/network-security/problems-with-pix-501-and-ms-cert-server/m-p/197108#M613817 BertK88 2003-06-27T09:30:33Z