Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
3
Replies

Problems with PIX 501 and MS Cert Server

Go to solution
BertK88
Level 1
Level 1

‎06-26-2003 05:08 AM - edited ‎02-20-2020 10:49 PM

Hi All,

I have two problems with my PIX 501:

1. Enrolling works well. The pix has a certificate and uses it with VPN/SSL connections. But after a reload, the pix certificate is lost and it has regenerated a self signed certificate again!

Yes, I did write mem and ca save all!

2. On a ca crl request <name>, I get the following debug:

Crypto CA thread wakes up!

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: transaction GetCRL completed

Crypto CA thread sleeps!

CI thread wakes up!

And the CRL is empty.

Does somebody has an idea?

Bert Koelewijn

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-26-2003 07:54 PM

Not sure about 1, but 2 is usually caused by the CDP (CRL Distribution Point, basically the location of where the PIX can download the CRL from) listed in the CA cert is in a format the PIX doesn't understand, usually an LDAP URL.

Check the following please:

Open the CA admin tool (Certification Authority) then

1) right click on the CA name and choose "Properties"

2) select the tab "Policy Module"

3) hit the button "Configure"

4) select the tab "X.509 extensions"

>From there, he can view the list of "CRL Distribution Points".

Deactivate all that is not HTTP.

You'll need to reinstall the certs into the PIX I believe, but then it should be able to download the CRL via HTTP instead of LDAP.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-26-2003 07:54 PM

Not sure about 1, but 2 is usually caused by the CDP (CRL Distribution Point, basically the location of where the PIX can download the CRL from) listed in the CA cert is in a format the PIX doesn't understand, usually an LDAP URL.

Check the following please:

Open the CA admin tool (Certification Authority) then

1) right click on the CA name and choose "Properties"

2) select the tab "Policy Module"

3) hit the button "Configure"

4) select the tab "X.509 extensions"

>From there, he can view the list of "CRL Distribution Points".

Deactivate all that is not HTTP.

You'll need to reinstall the certs into the PIX I believe, but then it should be able to download the CRL via HTTP instead of LDAP.

0 Helpful

Go to solution
BertK88
Level 1
Level 1
In response to gfullage

‎06-27-2003 01:51 AM

> in a format the PIX doesn't understand

I eliminated the space in the name of my ca certificate, to make the URL cleaner, without the '%20': abc%20def.crl -> abcdef.crl. That solved problem 1!!

I still have no clue about problem 2, even with nice URL's and only HTTP (as you mentioned), it gives the same debug.

Thanks for your previous hint! It led me to the solution of problem 1. Does somebody have an idea about problem 2?

Bert Koelewijn

0 Helpful

Go to solution
BertK88
Level 1
Level 1
In response to BertK88

‎06-27-2003 02:30 AM

Solved problem 2!

Not only by leaving the LDAP address off the certificate, but by leaving off the LDAP ipaddress in the 'ca identity' rule too.

Is Cisco aware of this issue? Will they make things more easy in next releases of the PIX OS?

Thanks!

Bert Koelewijn

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card