cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2809
Views
0
Helpful
13
Replies

ASA 8.4 and win 2008 ca problem

binelipetrov
Level 1
Level 1

Hi,

we have a problem with authenticating to the trustpoint for CA on WIn 2008 Enterprise machine. Enrollment url

enrollment url http://CAWin2008/certsrv/mscep_admin/

We are getting following error

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

ASA(config)# Content-Type indicates we did not receive a certificate.

after trying to authenticate.

After checking wireshark files on Win2008 machine, we noticed that WIN2008 are sending specific HTTP 401 'unaothorized:access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied.' error, it is like CA and their IIS service is trying to authenticate ASA but ASA does not send any credentials.

Is anybody familiar with this problem and how we can solve it?

Vladimir

13 Replies 13

Yudong Wu
Level 7
Level 7
By default the 2008 CA requires the use of the SCEP challenge password.  You might need to go to 
http:///certsrv/mscep_admin to get a one time password.

Once you have this password you can enter it during enrollment time or define it in trustpoint with
password command.

Yes, but the first step is to authenticate with the CA, and after that is enrollment procedure with a password.

The first step - authentication is the problem. In this step we have mantioned unauthorizes access in sniffed http response from the CA server.

Vlada

Sorry, mis-understood your question.

Could you please verify if your RSA key length is 2048?

You might need to run "debug crypto ca trans 255" and "debug crypto ca message 255" to see what happens on ASA.

debug 255...

CRYPTO_PKI: HTTP response header:

HTTP/1.1 401 Unauthorized

Content-Type: text/html

Server: Microsoft-IIS/7.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

Date: Wed, 23 Feb 2011 21:52:17 GMT

Connection: close

Content-Length: 1293

I think the problem is with authentication that CA is requesting / IIS service

Yes, we are using 2048 key length

You might be correct. It should be somthing with IIS service.

It might require an authentication/authorization to accesss that page.

If you use broswer to access http://CAWin2008/certsrv/mscep_admin/, what do you get?

To my knowledge, we did test ASA with Win 2008 CA server before. It should work.

You might need to check the Directory Security -> Authentication and Access Control settings of your CA directory in IIS.

Yes, we get pop-up windows for username/password. After entering username/password with appropriate privileges, we get regular page with password/fingerprint information. It is defiantly something with IIS service for CA site.

Current situation:

now we are getting some certificate with proper http200 response, but ASA can not read certificate from CA server

crypto_pki: Unable to read CA/RA certificates. Crypto CA thread sleeps!

Also, we see dump in debug crypto ca messages/transaction 255, in that dump file is certificate from CA win2008, but as I mentioned, ASA can not implement it, can not read/accept it.

Vlada

We are using SHA1, it is not a well knon problwm with SHA 256 algorithm.

Vlada

Can you post the following debug output?

debug cry ca 255

debug crypto ca trans 255

debug crypto ca message 255

By the way, is this CA a subCA? If yes, can you check if the root CA is using SHA2?

Hi all,

Did we find a resolution to this? I'm experiencing issues when trying to download the CA cert from a 2008 CA server. The identity certificate was fine. I've tried from file and scep. My ASA is running 8.4(1). This worked fine recently for another customer when using a 2003 CA.

Thanks,

Dean

Dean,

Here is a document on how to do this via ASDM:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a008073b12b.shtml

To verify your certificates, you can run 'show crypto ca certificate'. You want to check and make sure that your Identity cert is NOT enrolled as a "CA Certificate". This is a very common mistake.

Next, you should verify that the rest of your certificate chain was imported correctly by checking the Issuer Name and Subject Names. The Issuer of your Identity Cert should match the Subject of the Intermediate Cert (or Root CA Cert if there is no intermediate). Keep moving up the chain until these match, that is your Root CA Certificate and you can stop checking.

If you are having problems with auto enrollment, try enrolling from a file. Make sure to export the certificate as Base-64. This is very easy to do in Windows if you open the Cert, go to the Details tab, and choose Copy to File...

Enrollment Exmple:

ciscoasa(config)#  crypto ca trustpoint my_ca_trustpoint

ciscoasa(config-ca-trustpoint)# enrollment terminal

ciscoasa(config-ca-trustpoint)# exit

ciscoasa(config)# crypto ca authenticate my_ca_trustpoint

I hope this helps.

Thanks,

Brendan

Review Cisco Networking for a $25 gift card