What is PKICLIENT.EXE? Setting up CEP between MS CA and Cisco Devices

d-garnett · ‎10-11-2003

How do you go about setting up CEP certificate enrollment between Cisco Routers and up a Microsoft CA? What am I doing wrong.

Config On The Router

ip host MYCANAME [ip address here]

crypto ca identity CANAME

enrollment url http://CANAME:80/certsrv/mscep/mscep.dll

enrollment mode ra

exit

of course i have the domain-name, hostname, and have also created the rsa public key with accurate time, ok now to get the cert from the server.

crypto ca authenticate CANAME

This doesn't work. I have seen all the example config's here on cisco.com and Microsoft and this just does not work for me........

http://MYCANAME:80/certsrv/mscep/mscep.dll/pkiclient.exe?=GetCACert&msg ?

Where did pkiclient.exe come from, the ms patch put mscep.dll on my server not mscep.dll/pkiclient.exe.

i am aware that by default, the router looks in the cgi-bin directory for 'pkiclient.exe'. but what is 'pkiclient.exe'. I have search all over the web and found nothing.

I have been trying to set up a CA for weeks and the only way I can obtain a cert from the CA is if I use the trustpoint cmds on the router (12.3) rename the CA certificate on the server and download it via tftp to the router. I applied the MSCEP (cepsetup.exe) patch from Microsoft, my server is running SP4, but my routers 'debug pki transactions' and pkt traces output gives errors: saying '/certsrv/mscep/mscep.dll/pkiclient.exe' doesn't exist.

Of course it doesn't exist because mscep.dll is a file, not a directory. why is PKICLIENT always appended to the end? Where do I download the pkiclient file from? Do I have to rename the CA cert to pkiclient.exe?

umedryk · ‎10-17-2003

PKICLIENT.EXE is a Microsoft addon, requiered for MS CA.

d-garnett · ‎10-17-2003

i am aware of that. i installed the 'cepsetup.exe' package that puts 'mscep.dll' on my CA/RA. when i configure the routers to look there......

http://MYSRVNAME:80/certsrv/mscep/mscep.dll

(this is an "actual" file that is on the server)

the router looks for this:

http://MYSRVNAME:80/certsrv/mscep/mscep.dll/pkiclient.exe

MSCEP.DLL is not a directory, it is a file. I have no clue where to get pkiclient.exe from for MS. If I could download that file, i'd be in business.

I am aware that .dll's are sort of like .exe files, but the router insists on looking for pkiclient.exe . if i rename the mscep.dll file to pkiclient.exe and run a pkt trace, the output of the trace says "this program cannot be run in ms-dos mode".........?

i am also aware that by default the router looks for pkiclient in the /cgi-bin/ directory. ok, thats great too, but where do i get pkiclient from in the first place?

If I configure the router to get the cert via TFTP, it works.

i.e.

---> get file CERT.p7b

no prob, the router gets the cert and installs it

if i rename the cert to pkiclient.exe, once again i get the "this program cannot be run in msdos mode" in the trace........

i have seen versions of the pkiclient.exe file for ENTRUST and for OpenSCEP, but not Microsoft.

i am truly baffled, i don't know of anyone who has successfully set this up to date using Microsoft. I am sure my router config's are solid. When I look on Microsofts website, all i seem to get is the runaround. There is NO reference to pkiclient.exe in the Windows Security Resource Kit

d-garnett · ‎10-26-2003

just an update for anyone else who may have this same problem. I finally got this working using Windows 03 server. I think it had something to do with IIS, the Web Extension Service, and the version of the mscep.dll (cepsetup.exe) file i had. I did not set anything up any differently between the 2 servers but it just works on 03 (that's why i think it was mainly the version of the file). there is no pkiclient.exe file using MS. How it works I don't know, but it works.