https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3427#M674812 <HTML><HEAD></HEAD><BODY><P>Ok, I found the solution for this problem. It was fairly simple. for you who have the Windows 2000 in spanish, the cetsetup.exe works only with the english version of windows Nt 2000.</P></BODY></HTML> Wed, 04 Apr 2001 13:01:13 GMT jcazila 2001-04-04T13:01:13Z https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3424#M674809 <P>I am trying to configure microsoft CA Certificate Server with the PIX, and I am unable to obtain the CA or RA certificate, so, the certificate request fails.</P><P>I have followed the instructions I found in the Instutor site, but it doesn't work for me. </P><P>First, I installed the CA in standalone mode, and gave a certificate to it.</P><P>Later I took the cepsetup.exe from the Windows 2000 resource toolkit and intalled SCEP support for Microsoft CA. I was requested to enter the information for a RA certificate, so I did. After reseting, of course, I typed the following commands from the pix:</P><P></P><P>clock set "current time, the same as in the CA"</P><P>ip domain-name example.com</P><P>ip hostname pix</P><P>ca generate rsa key 512</P><P>ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll</P><P>ca configure alexnap ra 1 5 crloptional</P><P>and NOW.....</P><P>when I type ca authenticate alexnap I obtanin the following</P><P></P><P></P><P>sanjose(config)# ca authenticate alexnap</P><P></P><P>C</P><P> IC trhryeadp tsol eCeAp st!hread wakes up!</P><P>CRYPTO_PKI: http connection opened</P><P>PKI: key process suspended and continued</P><P>CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting</P><P>certificate status</P><P></P><P>CRYPTO_PKI: Can not get name ava count</P><P>CRYPTO_PKI: can not decode router sub name.</P><P>CRYPTO_PKI: Can not get name ava count</P><P>CRYPTO_PKI: can not decode router sub name.</P><P>CRYPTO_PKI: Can not get name ava count</P><P>CRYPTO_PKI: can not decode router sub name.</P><P>CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting</P><P>certificate status</P><P></P><P>CRYPTO_PKI: Can not get name ava count</P><P>CRYPTO_PKI: can not decode router sub name.</P><P>CRYPTO_PKI: Can not get name ava count</P><P>CRYPTO_PKI: can not decode router sub name.</P><P>CRYPTO_PKI: Can not get name ava count</P><P>CRYPTO_PKI: can not decode router sub name.</P><P>CRYPTO_PKI: status = 0: failed to get ca name from cert</P><P>CRYPTO_PKI: can not set ra public key</P><P>CRYPTO_PKI: status = 0: failed to get ca name from cert</P><P>CRYPTO_PKI: can not set ra public key</P><P>CRYPTO_PKI: transaction GetCACert completed</P><P>Certificate has the following attributes:</P><P>Fingerprint: 8698efea 67ec44a8 5c3abb18 a3b3da54</P><P>CRYPTO_PKI: status = 0: failed to get ca name from cert</P><P>CRYPTO_PKI: can not set ra public key</P><P>CRYPTO_PKI: status = 0: failed to get ca name from cert</P><P>CRYPTO_PKI: can not set ra public key</P><P>Crypto CA thread sleeps!</P><P>CI thread wakes </P><P></P><P>INDICATING ME THAT THE RA AND CA PUBLIC KEYS COULD NOT BE SET.</P><P></P><P>NOW WHEN I REQUEST A CERTIFICATE..........I OBTAIN THE FOLLOWING MESSAGE FROM THE DEBUG CRYPTO CA..</P><P></P><P>sanjose(config)# CA ENROLL ALEXNAP CISCO</P><P>%</P><P></P><P>C%r Sytaprtto cCeAr titfihcraetaed enroll mweankt ..</P><P></P><P>% Thee subject names in utphe ce!rtificate will be: sanjose.softneteurope.com</P><P>CI thread sleeps!</P><P>CI thread wakes up!% Certificate request sent to Certificate Authority</P><P>% The certificate request fingerprint will be displayed.</P><P></P><P>sanjose(config)#</P><P>sanjose(config)#</P><P>sanjose(config)#</P><P>CRYPTO_PKI: transaction PKCSReq completed</P><P>CRYPTO_PKI: status:</P><P>Crypto CA thread sleeps!</P><P>CRYPTO_PKI: status = 0: failed to select RA encrypt cert</P><P>CRYPTO_PKI: status = 65535: failed to set up peer auth context</P><P>CRYPTO_PKI: status = 65535: fail to send out pkcsreq</P><P>CRYPTO__PKI: All sockets are closed.</P><P></P><P>WHAT IS GOING ON HERE, ANY HELP, OR SHOULD WE CHANGE THE CA OR SHOULD WE CONSTRUCT THE VPN WITH WINDOWS 2000 ( A SHAME)</P><P></P><P></P><P></P><P></P><P></P> Fri, 21 Feb 2020 05:47:03 GMT https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3424#M674809 jcazila 2020-02-21T05:47:03Z https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3425#M674810 <HTML><HEAD></HEAD><BODY><P>One thing you should try if you can is to put the Microsoft Cert outside the firewall.</P><P>Two is on this line:</P><P>ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll</P><P>put a forward slash after the mscep.dll example:</P><P>ca identity alexnap 10.0.0.2:/certsrv/mscep/mscep.dll/</P><P>Because I had the similar issue myself. Hope that helps</P><P>Tony Cooper</P><P></P></BODY></HTML> Sat, 24 Feb 2001 02:11:42 GMT https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3425#M674810 tony 2001-02-24T02:11:42Z https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3426#M674811 <HTML><HEAD></HEAD><BODY><P>thank you tony, very kind of you but, it didn't work for me. May be there is s problem with versions. My mscep.dll is 5.131.2155.1. do you have a diferent (more recent version?). In fact, reading the releases for VPN client version 1.1, I found that VPN 1.1 will work only with version 5.131.2199.1, aas long as I remember. could you send me the version you have, so I could try with it?.</P><P>thank you again,</P><P>regards,</P><P>alexnap</P></BODY></HTML> Wed, 28 Feb 2001 15:02:50 GMT https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3426#M674811 jcazila 2001-02-28T15:02:50Z https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3427#M674812 <HTML><HEAD></HEAD><BODY><P>Ok, I found the solution for this problem. It was fairly simple. for you who have the Windows 2000 in spanish, the cetsetup.exe works only with the english version of windows Nt 2000.</P></BODY></HTML> Wed, 04 Apr 2001 13:01:13 GMT https://community.cisco.com/t5/network-security/pix-and-microsoft-ca-certificate-server/m-p/3427#M674812 jcazila 2001-04-04T13:01:13Z