06-26-2003 05:08 AM - edited 02-20-2020 10:49 PM
Hi All,
I have two problems with my PIX 501:
1. Enrolling works well. The pix has a certificate and uses it with VPN/SSL connections. But after a reload, the pix certificate is lost and it has regenerated a self signed certificate again!
Yes, I did write mem and ca save all!
2. On a ca crl request <name>, I get the following debug:
Crypto CA thread wakes up!
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: transaction GetCRL completed
Crypto CA thread sleeps!
CI thread wakes up!
And the CRL is empty.
Does somebody has an idea?
Bert Koelewijn
Solved! Go to Solution.
06-26-2003 07:54 PM
Not sure about 1, but 2 is usually caused by the CDP (CRL Distribution Point, basically the location of where the PIX can download the CRL from) listed in the CA cert is in a format the PIX doesn't understand, usually an LDAP URL.
Check the following please:
Open the CA admin tool (Certification Authority) then
1) right click on the CA name and choose "Properties"
2) select the tab "Policy Module"
3) hit the button "Configure"
4) select the tab "X.509 extensions"
>From there, he can view the list of "CRL Distribution Points".
Deactivate all that is not HTTP.
You'll need to reinstall the certs into the PIX I believe, but then it should be able to download the CRL via HTTP instead of LDAP.
06-26-2003 07:54 PM
Not sure about 1, but 2 is usually caused by the CDP (CRL Distribution Point, basically the location of where the PIX can download the CRL from) listed in the CA cert is in a format the PIX doesn't understand, usually an LDAP URL.
Check the following please:
Open the CA admin tool (Certification Authority) then
1) right click on the CA name and choose "Properties"
2) select the tab "Policy Module"
3) hit the button "Configure"
4) select the tab "X.509 extensions"
>From there, he can view the list of "CRL Distribution Points".
Deactivate all that is not HTTP.
You'll need to reinstall the certs into the PIX I believe, but then it should be able to download the CRL via HTTP instead of LDAP.
06-27-2003 01:51 AM
> in a format the PIX doesn't understand
I eliminated the space in the name of my ca certificate, to make the URL cleaner, without the '%20': abc%20def.crl -> abcdef.crl. That solved problem 1!!
I still have no clue about problem 2, even with nice URL's and only HTTP (as you mentioned), it gives the same debug.
Thanks for your previous hint! It led me to the solution of problem 1. Does somebody have an idea about problem 2?
Bert Koelewijn
06-27-2003 02:30 AM
Solved problem 2!
Not only by leaving the LDAP address off the certificate, but by leaving off the LDAP ipaddress in the 'ca identity' rule too.
Is Cisco aware of this issue? Will they make things more easy in next releases of the PIX OS?
Thanks!
Bert Koelewijn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide