Yes, but the first step is to authenticate with the CA, and after that is enrollment procedure with a password.

The first step - authentication is the problem. In this step we have mantioned unauthorizes access in sniffed http response from the CA server.

Vlada

Sorry, mis-understood your question.

Could you please verify if your RSA key length is 2048?

You might need to run "debug crypto ca trans 255" and "debug crypto ca message 255" to see what happens on ASA.

debug 255...

CRYPTO_PKI: HTTP response header:

HTTP/1.1 401 Unauthorized

Content-Type: text/html

Server: Microsoft-IIS/7.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

Date: Wed, 23 Feb 2011 21:52:17 GMT

Connection: close

Content-Length: 1293

I think the problem is with authentication that CA is requesting / IIS service

Yes, we are using 2048 key length

You might be correct. It should be somthing with IIS service.

It might require an authentication/authorization to accesss that page.

If you use broswer to access http://CAWin2008/certsrv/mscep_admin/, what do you get?

To my knowledge, we did test ASA with Win 2008 CA server before. It should work.

You might need to check the Directory Security -> Authentication and Access Control settings of your CA directory in IIS.

Yes, we get pop-up windows for username/password. After entering username/password with appropriate privileges, we get regular page with password/fingerprint information. It is defiantly something with IIS service for CA site.

Current situation:

now we are getting some certificate with proper http200 response, but ASA can not read certificate from CA server

crypto_pki: Unable to read CA/RA certificates. Crypto CA thread sleeps!

Also, we see dump in debug crypto ca messages/transaction 255, in that dump file is certificate from CA win2008, but as I mentioned, ASA can not implement it, can not read/accept it.

Vlada

We are using SHA1, it is not a well knon problwm with SHA 256 algorithm.

Vlada

Can you post the following debug output?

debug cry ca 255

debug crypto ca trans 255

debug crypto ca message 255

By the way, is this CA a subCA? If yes, can you check if the root CA is using SHA2?

Hi all,

Did we find a resolution to this? I'm experiencing issues when trying to download the CA cert from a 2008 CA server. The identity certificate was fine. I've tried from file and scep. My ASA is running 8.4(1). This worked fine recently for another customer when using a 2003 CA.

Thanks,

Dean

Dean,

Here is a document on how to do this via ASDM:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a008073b12b.shtml

To verify your certificates, you can run 'show crypto ca certificate'. You want to check and make sure that your Identity cert is NOT enrolled as a "CA Certificate". This is a very common mistake.

Next, you should verify that the rest of your certificate chain was imported correctly by checking the Issuer Name and Subject Names. The Issuer of your Identity Cert should match the Subject of the Intermediate Cert (or Root CA Cert if there is no intermediate). Keep moving up the chain until these match, that is your Root CA Certificate and you can stop checking.

If you are having problems with auto enrollment, try enrolling from a file. Make sure to export the certificate as Base-64. This is very easy to do in Windows if you open the Cert, go to the Details tab, and choose Copy to File...

Enrollment Exmple:

ciscoasa(config)#  crypto ca trustpoint my_ca_trustpoint

ciscoasa(config-ca-trustpoint)# enrollment terminal

ciscoasa(config-ca-trustpoint)# exit

ciscoasa(config)# crypto ca authenticate my_ca_trustpoint

I hope this helps.

Thanks,

Brendan