we have a problem with authenticating to the trustpoint for CA on WIn 2008 Enterprise machine. Enrollment url
enrollment url http://CAWin2008/certsrv/mscep_admin/
We are getting following error
ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0
ASA(config)# Content-Type indicates we did not receive a certificate.
after trying to authenticate.
After checking wireshark files on Win2008 machine, we noticed that WIN2008 are sending specific HTTP 401 'unaothorized:access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied.' error, it is like CA and their IIS service is trying to authenticate ASA but ASA does not send any credentials.
Is anybody familiar with this problem and how we can solve it?
By default the 2008 CA requires the use of the SCEP challenge password. You might need to go to
/certsrv/mscep_admin to get a one time password.
Once you have this password you can enter it during enrollment time or define it in trustpoint with
Yes, but the first step is to authenticate with the CA, and after that is enrollment procedure with a password.
The first step - authentication is the problem. In this step we have mantioned unauthorizes access in sniffed http response from the CA server.
Sorry, mis-understood your question.
Could you please verify if your RSA key length is 2048?
You might need to run "debug crypto ca trans 255" and "debug crypto ca message 255" to see what happens on ASA.
CRYPTO_PKI: HTTP response header:
HTTP/1.1 401 Unauthorized
Date: Wed, 23 Feb 2011 21:52:17 GMT
I think the problem is with authentication that CA is requesting / IIS service
You might be correct. It should be somthing with IIS service.
It might require an authentication/authorization to accesss that page.
If you use broswer to access http://CAWin2008/certsrv/mscep_admin/, what do you get?
To my knowledge, we did test ASA with Win 2008 CA server before. It should work.
Yes, we get pop-up windows for username/password. After entering username/password with appropriate privileges, we get regular page with password/fingerprint information. It is defiantly something with IIS service for CA site.
now we are getting some certificate with proper http200 response, but ASA can not read certificate from CA server
crypto_pki: Unable to read CA/RA certificates. Crypto CA thread sleeps!
Also, we see dump in debug crypto ca messages/transaction 255, in that dump file is certificate from CA win2008, but as I mentioned, ASA can not implement it, can not read/accept it.
Can you post the following debug output?
debug cry ca 255
debug crypto ca trans 255
debug crypto ca message 255
By the way, is this CA a subCA? If yes, can you check if the root CA is using SHA2?
Did we find a resolution to this? I'm experiencing issues when trying to download the CA cert from a 2008 CA server. The identity certificate was fine. I've tried from file and scep. My ASA is running 8.4(1). This worked fine recently for another customer when using a 2003 CA.
Here is a document on how to do this via ASDM:
To verify your certificates, you can run 'show crypto ca certificate'. You want to check and make sure that your Identity cert is NOT enrolled as a "CA Certificate". This is a very common mistake.
Next, you should verify that the rest of your certificate chain was imported correctly by checking the Issuer Name and Subject Names. The Issuer of your Identity Cert should match the Subject of the Intermediate Cert (or Root CA Cert if there is no intermediate). Keep moving up the chain until these match, that is your Root CA Certificate and you can stop checking.
If you are having problems with auto enrollment, try enrolling from a file. Make sure to export the certificate as Base-64. This is very easy to do in Windows if you open the Cert, go to the Details tab, and choose Copy to File...
ciscoasa(config)# crypto ca trustpoint my_ca_trustpoint
ciscoasa(config-ca-trustpoint)# enrollment terminal
ciscoasa(config)# crypto ca authenticate my_ca_trustpoint
I hope this helps.