failing to get certificates using PIX firewall

sam · ‎10-16-2002

Trying to do a "ca authenticate" on PIX 506 running 6.2.2 software, in order to get a certificate from a Microsoft CA server . Here are the relevant commands:

ca identity stage 172.16.0.7:/certsrv/mscep/mscep.dll

ca configure stage ra 1 20

ca authenticate stage

The debug output is:

CRYPTO_PKI: status = 266: failed to verify

CRYPTO_PKI: transaction GetCACert completed

I put a sniffer on this communication and it appears that the PIX is trying to go to 172.16.0.7:/certsrv/mscep/mscep.dll/pkiclient.exe.

In other words, the PIX is adding a "pkiclient.exe" to the end of the URL no matter what. The microsoft ca server does not have a pkiclient.exe file as far as I can tell. That seems to be the problem. However, I am puzzled because this combination ( PIX and Microsoft CA ) should work.

Any ideas what to do next?

edadios · ‎10-20-2002

Try making the CRL optional, and see if that makes a difference.

See this link for a bit of guide:

http://www.cisco.com/warp/public/471/configipsecsmart.html .

Regards,

jadvoracek · ‎10-24-2002

Ensure that you have installed the mscep from the Microsoft Resource kit (cepsetup.exe).

pkiclient.exe is a part of the scep protocol and will be added automatically by the router/pix to the scep request.

i.e. http://host/certsrv/mscep/mscep.dll?pkiclient.exe&operation=GetCACert&message=whatever

will return the result from the scep with the RA & CA certificates.

sam · ‎10-31-2002

After talking to TAC, it looks like the solution should be:

1. Uninstall everything

2. Install Certification Server. Reboot

3. Install MSCEP. Reboot

It seems likely that the microsoft server is the problem ( although I HAD installed the mscep already and it wasn't working. )

In other words, the solution is to "reboot more often" during the microsoft installation.

I consider this issue closed now. Thanks for everyones help.