Re: Cannot get IOS Root CA to run

PAUL TRIVINO · ‎04-27-2010

I am trying to run the IOS CA to serve as root to two subordinate CA’s on my DMVPN hubs. I am using a 2650XM on IOS image c2600-advsecurityk9-mz.124-15.T12.bin, and am following the procedures in both http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/PKI-security.html and the Cisco IOS Security Configuration Guide http://www.cisco.com/en/US/customer/docs/ios/sec_secure_connectivity/configuration/guide/12_4t/sec_secure_connectivity_12_4t_book.html section(s) on PKI. I can get the CA running but ONLY if I do not configure ‘database url <url>’ (and presumably ‘cdp-url’)

I have tried using ftp:, and http: for ‘database url’ but I always get the server status of

Certificate Server root-ca:

Status: disabled, Storage not accessible

and messages similar to “%PKI-3-CS_CRIT_STORAGE: Critical certificate storage, ftp://<username>:<password>@<ftp-server>/0x1.crt, is inaccessible, server disabled.” When I’m using ftp. No message is issued when using http but the server status is the same. And, the cert server appears to write the files 0x1.cnm and 0x1.crt, and the root-ca.ser file to the ftp server but still says storage is inaccessible.

Here is the no ‘database url’ configs that works:

crypto pki server root-ca

database level complete

database archive pkcs12 password 7 15361202377928311A

grant auto rollover ca-cert

grant auto

lifetime certificate 730

lifetime ca-certificate 750

auto-rollover 90

!

crypto pki trustpoint root-ca

revocation-check crl none

rsakeypair root-ca

!

crypto pki certificate chain root-ca

certificate ca 01

30820302 308201EA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

12311030 0E060355 04031307 726F6F74 2D636130 1E170D31 30303432 37323130

94D7B595 3C35C1A1 9D0BAA22 E92C40BD D7DE6C1F 92BD1285 534817FC 62B4CBCF

8EB659B5 5C3C

quit

!

(I don’t think the rest of the config is needed, but ntp is configured and active as is the http server).

rsdpki1#sh crypto pki server

Certificate Server root-ca:

Status: enabled

State: enabled

Server's configuration is locked (enter "shut" to unlock it)

Issuer name: CN=root-ca

CA cert fingerprint: ACFF6E7F 7A87AB31 21BF7222 314D3BA9

Granting mode is: auto

Last certificate issued serial number: 0x1

CA certificate expiration timer: 14:08:26 PDT May 16 2012

CRL NextUpdate timer: 20:08:56 PDT Apr 27 2010

Current primary storage dir: nvram:

Database Level: Complete - all issued certs written as <serialnum>.cer

Auto-Rollover configured, overlap period 90 days

Autorollover timer: 13:08:26 PST Feb 16 2012

rsdpki1#sh crypto pki certificates

CA Certificate

Status: Available

Certificate Serial Number: 0x1

Certificate Usage: Signature

Issuer:

cn=root-ca

Subject:

cn=root-ca

Validity Date:

start date: 14:08:26 PDT Apr 27 2010

end date: 14:08:26 PDT May 16 2012

Associated Trustpoints: root-ca

rsdpki1#sh crypto key mypubkey rsa

% Key pair was generated at: 14:01:09 PDT Apr 27 2010

Key name: root-ca

Storage Device: not specified

Usage: General Purpose Key

Key is exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

3F020301 0001

% Key pair was generated at: 14:01:16 PDT Apr 27 2010

Key name: root-ca.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 009E1CF0 EE0A4456

D92FACAB 7780169C 90B77FAF 92026085 F663353D 29CD8018 87020301 0001

rsdpki1#sh crypto key pubkey-chain rsa

Codes: M - Manually configured, C - Extracted from certificate

Code Usage IP-Address/VRF Keyring Name

C Signing default X.500 DN name:

cn=root-ca

rsdpki1#sh crypto pki certificates storage

Certificates will be stored in nvram:

rsdpki1#

However, when I clear that all out and reconfigure it with an ftp: database, I get:

crypto pki server root-ca

database level complete

database archive pkcs12 password 7 052F1F01121F4D1C2B

grant auto rollover ca-cert

grant auto

lifetime certificate 730

lifetime ca-certificate 750

cdp-url ftp://ssdftp1/rsdpki1_generated.crl

auto-rollover 90

database url ftp://ssdftp1

database username ftp4ios password <removed>

!

crypto pki trustpoint root-ca

revocation-check crl none

rsakeypair root-ca

And show xxx shows:

rsdpki1#sh crypto pki server

Certificate Server root-ca:

Status: disabled, Failed to generate selfsigned CA certificate

State: check failed

Server's configuration is locked (enter "shut" to unlock it)

Issuer name: CN=root-ca

CA cert fingerprint: -Not found-

Granting mode is: auto

Last certificate issued serial number: 0x0

CA certificate expiration timer: 14:24:47 PDT May 16 2012

CRL not present.

Current primary storage dir: ftp://ssdftp1

Database Level: Complete - all issued certs written as <serialnum>.cer

Auto-Rollover configured, overlap period 90 days

rsdpki1#sh crypto pki certificates

rsdpki1#sh crypto key mypubkey rsa

% Key pair was generated at: 14:23:18 PDT Apr 27 2010

Key name: root-ca

Storage Device: not specified

Usage: General Purpose Key

Key is exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

63020301 0001

% Key pair was generated at: 14:23:25 PDT Apr 27 2010

Key name: root-ca.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E514E6 0770D50A

rsdpki1#sh crypto key pubkey-chain rsa

Codes: M - Manually configured, C - Extracted from certificate

Code Usage IP-Address/VRF Keyring Name

rsdpki1#sh crypto pki certificates storage

Certificates will be stored in nvram:

rsdpki1# (I skipped the ‘sh crypto pki counters’)

But the files are written to the ftp server and appear fine. Can anyone tell me the rules for ‘database url’ and/or ‘cdp-url’? The “PKI Service for Large Scale IPSec Aggregation” document (first url) shows both ftp: and http: examples. As I say, I *think* I have the ftp specified correctly because the files are written. But I have no idea what the requirements are for the http server – do I need Web-DAV or something?

Thanks in advance.

PAUL TRIVINO
Sr. Network Engineer

jan.nielsen · ‎05-05-2010

did you try nvram or flash as url location ?

PAUL TRIVINO · ‎05-06-2010

I did but that's the problem - the documentation says you can use 'any IOS-supported file system' and the DMVPN docs show several examples using 'ftp://...' and 'http://...' But I could not get anything except Flash: to work. I had to move the root-ca to a different router with a CF card.

plemieux72 · ‎09-18-2010

Ran into same issue on a 2621XM CA server running advanced security IOS 12.4(15)T8.

I rebooted the router, and the CA service runs fine until I looked into the info request database, and approved the cert for a spoke, I got the following:

cry pki ser [removed] grant all
% Failed to process enrollment request. The request #1 is deleted.

...and in the log:

Sep 18 12:23:07.203: %PKI-3-CS_CRIT_STORAGE: Critical certificate storage, nvram:0xD.cnm, is inaccessible, server disabled.
Sep 18 12:23:07.211: %PKI-6-CS_DISABLED: Certificate server now disabled.

Have you found any resolution or root cause?

Thanks!

ken.grabarski · ‎02-18-2015

Performed the following on a 2811 to resolve.

CA Server:
Create username/domain
Enable HTTP
Generate rsa key

crypto pki server ks
database level complete
grant auto
lifetime certificate 180
lifetime ca-certificate 7305
database url flash:
no shut

M.Dodokh · ‎12-11-2021

I know that the post is too old, but for anyone who could face the same issue in the future...

I had the same problem, and find that some IOSs (especially if you are using EVE/GNS) have different names for the storage;

flash:

disk:

nvram:

etc...

So you have to check exactly what the device is naming the storage using the command dir then ?

After that use the following command:

Device(cs-server)#database url storage-name

pan.systems · ‎08-21-2023

Thanks, a very helpful comment.