Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
25518
Views
0
Helpful
8
Replies

Certificate Authority certificate: status = FAIL, cert length = 0

Go to solution
tasha_m73
Level 1
Level 1

‎11-27-2010 09:03 AM

Hi all,

we have installed new MS root CA and issuing CA (Windows Server 2008 R2 Enterprise) in test environment. When I tried to get CA certificate from some Cisco devices (router 1800, ASA 5510, 5520), it failed. It is the same situation with "enrollment url" or "enrollment terminal" command:

Router:

PKI-test(config)#crypto ca authenticate NIS_CA
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

PKI-test(config)#
Nov 23 16:17:01.764: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=NIS_CA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: xxxxxx

Nov 23 16:17:01.768: CRYPTO_PKI: locked trustpoint NIS_CA, refcount is 1
Nov 23 16:17:01.768: CRYPTO_PKI: http connection opened
Nov 23 16:17:01.768: CRYPTO_PKI: Sending HTTP message

Nov 23 16:17:01.768: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: xxxxxxx


Nov 23 16:17:01.772: CRYPTO_PKI: unlocked trustpoint NIS_CA, refcount is 0
Nov 23 16:17:01.772: CRYPTO_PKI: locked trustpoint NIS_CA, refcount is 1
Nov 23 16:17:01.776: CRYPTO_PKI: unlocked trustpoint NIS_CA, refcount is 0
Nov 23 16:17:01.776: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 5810
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 23 Nov 2010 16:17:01 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

Nov 23 16:17:01.776: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=NIS_CA)

Nov 23 16:17:01.788: The PKCS #7 message contains 4 certificates.
Nov 23 16:17:01.792: CRYPTO_PKI: status = 0x712(E_ATTRIBUTE_VALUE_LEN : attribute value length is invalid (%n0)): crypto_pkcs7_extract_ca_cert returned
Nov 23 16:17:01.792: CRYPTO_PKI: Unable to read CA/RA certificates.
Nov 23 16:17:01.792: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Nov 23 16:17:01.792: CRYPTO_PKI: transaction GetCACert completed

ASA:

ASA(config)# crypto ca authenticate QLABCA


CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Content-Length: 5810
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 27 Nov 2010 16:57:43 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=QLABCA)

crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
crypto_certc_pkcs7_extract_certs_and_crls failed
CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

Is it possible that Cisco devices don't support CA root public key length 4096 and subordinate CA 2048?

Or anybody have another idea ?

Thanks in advance ...

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee
In response to tasha_m73

‎11-30-2010 07:03 AM

Yes, this could be the issue.  ASA doesn't support SHA2 as of yet.

--Jason

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-27-2010 02:41 PM

IOS router does support CA root public key length 4096 and subordinate CA 2048 in the later 12.4T IOS version.

Which IOS are you currently running?

0 Helpful

Go to solution
tasha_m73
Level 1
Level 1
In response to Jennifer Halim

‎11-28-2010 02:32 AM

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)

Cisco Adaptive Security Appliance Software Version 8.2(3)

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to tasha_m73

‎11-28-2010 04:04 AM

Have you tried it manually instead of automatic enrollment?

0 Helpful

Go to solution
tasha_m73
Level 1
Level 1
In response to Jennifer Halim

‎11-28-2010 04:22 AM

Yes, I tried with "enrollment terminal" on ASA but I got the same error, status=FAIL. I think I didn't try manual enrollment on router, but I will as soon as possible.

0 Helpful

Go to solution
tasha_m73
Level 1
Level 1
In response to Jennifer Halim

‎11-28-2010 06:33 AM

Same situation/error when I manual tried to paste CA certificates chain.

Unfortunately I couldn’t get any debug message with manual authentication.

PKI-test(config)#crypto ca authenticate NIS_CA

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIMXgYJKoZIhvcNAQcCoIIMTzCCDEsCAQExADALBgkqhkiG9w0BBwGgggwzMIIG
ojCCBIqgAwIBAgIKYUsTugAAAAAAAjANBgkqhkiG9w0BAQs
.....
+aK+bNl2yX9KBldhBd+vChcnUqabSRnfWfuo/6JXjm+67JY3xn0CwHwoId520D5P
ibN/+oqT68Vm3IbMsfQuQMn7YevCyPQyxeIj6f3nRLg+JNeqylKNVgAdL7tOXEPZ
MQA=
-----END CERTIFICATE-----
quit
% Error in saving certificate: status = FAIL


0 Helpful

Go to solution
tasha_m73
Level 1
Level 1
In response to Jennifer Halim

‎11-30-2010 12:29 AM

Could the Cisco devices have a problem because our test CA certificate use signature algorithm sha256RSA?

0 Helpful

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee
In response to tasha_m73

‎11-30-2010 07:03 AM

Yes, this could be the issue.  ASA doesn't support SHA2 as of yet.

--Jason

0 Helpful

Go to solution
tasha_m73
Level 1
Level 1
In response to Jason Gervia

‎11-30-2010 11:39 AM

Thank you both, Jennifer and Jason, I think we found the cause of error.

0 Helpful
Customers Also Viewed These Support Documents