01-07-2015 08:33 AM - edited 03-10-2019 12:20 AM
I've got a client with a new PKI environment, they have an Offline root > Intermediate > Issuing CA running NDES
I followed this procedure to configure NDES on the issuing (Sub CA).
When I built it in the test network with a standalone Enterprise root CA running NDES it worked fine.
In production the devices cannot get a cert if I run a debug on the network devices (Cisco)
I see this error;
Jan 4 10:31:11.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/21, changed state to up Jan 4 10:32:40.648: CRYPTO_PKI: pki request queued properly Jan 4 10:32:40.648: CRYPTO_PKI: Sending CA Certificate Request: GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=HG-Trustpoint HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI) Host: 10.1.4.41 Jan 4 10:32:40.648: CRYPTO_PKI: locked trustpoint HG-Trustpoint, refcount is 1 Jan 4 10:32:40.656: CRYPTO_PKI: http connection opened Jan 4 10:32:40.656: CRYPTO_PKI: Sending HTTP message Jan 4 10:32:40.656: CRYPTO_PKI: Reply HTTP header: HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI) Host: 10.1.4.41 Jan 4 10:32:40.656: CRYPTO_PKI: unlocked trustpoint HG-Trustpoint, refcount is 0 Jan 4 10:32:40.656: CRYPTO_PKI: locked trustpoint HG-Trustpoint, refcount is 1 Jan 4 10:32:40.673: CRYPTO_PKI: unlocked trustpoint HG-Trustpoint, refcount is 0 Jan 4 10:32:40.673: CRYPTO_PKI: Reply HTTP header: HTTP/1.1 200 OK Content-Length: 7946 Content-Type: application/x-x509-ca-ra-cert Server: Microsoft-IIS/8.5 Date: Wed, 07 Jan 2015 10:30:36 GMT Connection: close Content-Type indicates we have received CA and RA certificates. Jan 4 10:32:40.673: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=HG-Trustpoint) Jan 4 10:32:40.673: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_certc_pkcs7_extract_certs_and_crls failed Jan 4 10:32:40.673: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_pkcs7_extract_ca_cert returned Jan 4 10:32:40.673: CRYPTO_PKI: Unable to read CA/RA certificates. Jan 4 10:32:40.673: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates. Jan 4 10:32:40.673: CRYPTO_PKI: transaction GetCACert completed
At first i thought it was a problem with the signature algorithm on the certs which was wrong, so I rebuilt everything and now its right (sha1).
I've tried from multiple devices (switches, routers, firewalls etc)
Still it will not work
If I log a TAC call to Cisco they will just blame Microsoft and say my config is fine (which I can't argue with because it the same config I used on the test bench!)
Help
01-08-2015 07:37 AM
After much sweating I know what the problem is it's the signature algorithm on the CA certs, I will get it all documented and post the fix :)
Pete
01-08-2015 02:52 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide