Re: PIX certificate issue

SDWorx_2 · ‎05-28-2003

I'm trying to connect a PIX FW and a VPN 3015 with the use of certificates.

I followed the instructions found in TAC, but at a given moment there's a command that configures your CA server to get the certificates, and it's here that it goes wrong.

--> ca identity abcd 10.1.0.2:/certsrv/mscep/mscep.dll <--

The given path and dll are not found on my W2 CA server: mscep/mscep.dll !

Any idea what went wrong or do I need to point to another file on our W2K CA server ?

jfrahim · ‎05-28-2003

You have to install an addon application on your Micarosoft CA server. I believe it is called MS-SCEP. You can look at Microsoft's site for that

Jazib

stownsend · ‎06-04-2003

Let me know if you dont find it. I remember it took a bit of looking on MS's site to get it.

If you plan to Revoke your Certs, There are some issue in getting the CRL to work properly.

You need to have the 6.3 (1) code and you need to leave off the LDAP address on the ca identity command.

I've spent months with Cisco trying to get revoked Certs to work properly. Let me know if you need some assistance.

Scott<-

p-cousins · ‎01-05-2004

Hi Scott,

I've been wrangling with the MS CRLs too. Once I've cleaned up the URLs in the CDP attribute of the root CA cert, what else should I be aware of? I don't have an LDAP ip assigned in the ca identity line.

Do you have a successful formula or checklist for this config? I want to be able to reproduce this setup a number of times and want to make sure all the gotchas are taken care of in the documentation. Then I will post the result on the cisco site via one of their techs so that others don't go through as much pain as we have....

Thanks

Philip

JAKUB CHYTRACEK · ‎06-27-2003

You have to install mscep utility (cepsetup.exe), you can find it on Microsoft Add-On CD. This utility install RA on CA, after that you can make enrollment.