Re: CA Server Problem

atiye.bigdeli · ‎07-11-2018

Hi Friends

I want to use Microsoft CA Server for authentication process in IPSec, but when I config the router and try to authenticate the router I receive the error log.

my config in router:

crypto pki trustpoint RootCA
enrollment mode ra
enrollment url http://172.18.19.12:80/certsrv/mscep/mscep.dll
password 7 1547532D550809757E6A11724A5E46202416
revocation-check none

-----------------------------

Router-B(config)#crypto pki authenticate RootCA

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

Router-B(config)#
Jul 11 11:37:15.031: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=RootCA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 172.18.19.12

Jul 11 11:37:15.031: CRYPTO_PKI: locked trustpoint RootCA, refcount is 1
Jul 11 11:37:15.035: CRYPTO_PKI: http connection opened
Jul 11 11:37:15.035: CRYPTO_PKI: Sending HTTP message

Jul 11 11:37:15.035: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 172.18.19.12

Jul 11 11:37:15.035: CRYPTO_PKI: unlocked trustpoint RootCA, refcount is 0
Jul 11 11:37:15.035: CRYPTO_PKI: locked trustpoint RootCA, refcount is 1
Jul 11 11:37:15.035: CRYPTO_PKI: unlocked trustpoint RootCA, refcount is 0
Jul 11 11:37:15.035: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Wed, 11 Jul 2018 11:38:08 GMT
Connection: close
Content-Length: 2703

Content-Type indicates we have received CA and RA certificates.

Jul 11 11:37:15.035: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=RootCA)

Jul 11 11:37:15.039: CRYPTO_PKI: status = 0x703(E_DATA : generic data error): crypto_certc_pkcs7_extract_certs_and_crls failed
Jul 11 11:37:15.039: CRYPTO_PKI: status = 0x703(E_DATA : generic data error): crypto_pkcs7_extract_ca_cert returned
Jul 11 11:37:15.039: CRYPTO_PKI: Unable to read CA/RA certificates.
Jul 11 11:37:15.039: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Jul 11 11:37:15.039: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completed

what should I do?

best regards

Dennis Mink · ‎07-11-2018

if you do sh cry pki cert, have you actually got certs at all. error message seems inconclusive

Please remember to rate useful posts, by clicking on the stars below.

atiye.bigdeli · ‎07-13-2018

Hi

I dont got any certificate in my router

Rob Ingram · ‎07-14-2018

Is NDES role actually installed on the Windows CA or another Windows server and setup?

If yes, what are the errors in the Windows logs or under the "Certificate Authority" mmc under the Failed Requests section.

From previous experience, I encountered issues when the minimum size of the public key did not meet the minimum size specified on the certificate template. To rectify that, I created a keypair with the correct size and referenced that in the Trustpoint. E.g:-

crypto key zeroize rsa
crypto key generate rsa modulus 2048 label VPN_KEY

crypto pki trustpoint RootCA
rsakeypair VPN_KEY

HTH

atiye.bigdeli · ‎07-14-2018

Hi

Thank you for your reply.

Yes, NDES role installed on the Windows CA. As you said, I check the CA log in mmc consol, there is no log in "Failed Request"

I tried 1024 key size for RSA key size and I yet receive the error.

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

Rob Ingram · ‎07-14-2018

Are there any logs at all on the server?

This screenshot below was the mmc console I was referring to, it would display issued or failed requests. This would help to indicate where the issue is.

If there is nothing in the logs, then is the request even reaching the server?

atiye.bigdeli · ‎07-14-2018

Hi, I dont find any log in my CA Server.

I think, CA server has connectivity with router, because the log saies the the certificate is received but cant extract and read that.

crypto pki authenticate RootCA

Content-Type indicates we have received CA and RA certificates.

Jul 14 11:02:30.433: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=RootCA)

Jul 14 11:02:30.445: CRYPTO_PKI: status = 0x703(E_DATA : generic data error): crypto_certc_pkcs7_extract_certs_and_crls failed
Jul 14 11:02:30.445: CRYPTO_PKI: status = 0x703(E_DATA : generic data error): crypto_pkcs7_extract_ca_cert returned
Jul 14 11:02:30.445: CRYPTO_PKI: Unable to read CA/RA certificates.
09:04:29: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Jul 14 11:02:30.449: CRYPTO_PKI: transaction GetCACert completed

Rob Ingram · ‎07-14-2018

Ok, so it looks like the Cisco device cannot read the certificates in use on your Windows server. What signature algorithm are you using on your root certificates?

This link maybe related and provide some help.

HTH

atiye.bigdeli · ‎07-15-2018

Hi

The signature algorithm I am using is sha1.

Rob Ingram · ‎07-16-2018

Is that screenshot of a certificate the root certificate?...because from your screeenshot it looks like it is - Request ID #3, which is an Exchange Enrollment certificate that won't work for IPSec. Besides that you are attempting to authenticate and retrieve the Root Certificate, which is what we need to validate.

Is there anything in the Windows Event logs related to certificates when you attempt to authenticate?

What certificate template have you configured NDES to use?

atiye.bigdeli · ‎07-17-2018

Hi Thank you for you help and reply Depending on your post, I lost some configuration in CA server. I configure the CA server and router, according to some training video, but it seems, that this video was incomplete. can you help me and give me a link that has the whole configuration of CA server? thank you so much Best regards

Rob Ingram · ‎07-18-2018

Hi,

This post describes how to configure certificate enrollment on Cisco IOS via scep or manually. And this post might also be helpful

HTH