cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1403
Views
0
Helpful
2
Replies

PKI Certificate

synbureau
Level 1
Level 1

Hi

I have defined a PKI trustpoint on 871 but whilst authentication CA i get the following error:

Nov 6 10:57:05.370: CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=Synergy-CA HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

Nov 6 10:57:05.370: CRYPTO_PKI: locked trustpoint Synergy-CA, refcount is 1

Nov 6 10:57:05.386: CRYPTO_PKI: http connection opened

Nov 6 10:57:05.386: CRYPTO_PKI: unlocked trustpoint Synergy-CA, refcount is 0

Nov 6 10:57:05.386: CRYPTO_PKI: locked trustpoint Synergy-CA, refcount is 1

Nov 6 10:57:05.598: CRYPTO_PKI: unlocked trustpoint Synergy-CA, refcount is 0

Nov 6 10:57:05.598: CRYPTO_PKI: HTTP response header:

HTTP/1.1 200 OK

Content-Length: 4274

Content-Type: application/x-x509-ca-ra-cert

Server: Microsoft-IIS/7.0

Date: Thu, 06 Nov 2008 10:56:47 GMT

Connection: close

Content-Type indicates we have received CA and RA certificates.

Nov 6 10:57:05.598: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=Synergy-CA)

Nov 6 10:57:05.602: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):

Nov 6 10:57:05.602: crypto_certc_pkcs7_extract_certs_and_crls failed

Nov 6 10:57:05.602: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

Nov 6 10:57:05.602: CRYPTO_PKI: Unable to read CA/RA certificates.

Nov 6 10:57:05.602: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.

Nov 6 10:57:05.602: CRYPTO_PKI: transaction GetCACert completed

--------------------------------------

My router config for trustpoint is as following:

crypto pki trustpoint Synergy-CA

enrollment mode ra

enrollment url http://ca_2008.sfs.com:80/certsrv/mscep/mscep.dll

subject-name cn=Authenticator-871 o=SFS

revocation-check none

ocsp url http://ca_2008.sfs.com/ocsp

rsakeypair Synergy

2 Replies 2

Not applicable

The explanation for "PKI-3-GETCARACERT: Failed to receive RA/CA certificates" is that PKI certificate has encountered failure when parsing and processing CA/RA certificates.Recommended Action is to check the status, contact the CA administrator.Also you can check whether the certification is valid or not.

This url explains about certificate authentication in detail:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml#step3

Thank you for the reply, I got through that stage and now stuck with decoding of reply sent by OCSP (MS server 2008). the no-revocation check OID has a zero length value where as NULL is expected by cisco. MS has identified it as a bug but will be releasing its fix in SP2, just wanted to know if cisco has found a way around.