03-23-2010 02:37 PM
Hello,
I have the following issue.
I have a site-to-site vpn working right now with pre-shared keys. I want to do it now by using certificates.
I have a Microsoft Windows Server 2008 Enterprise and have the CA already installed and everything configured at the server (I think...)
When I go to the ASA and try to get the certificate from the CA via the SCP and this link: http://x.x.x.x/certsrv/mscep/mscep.dll
I get the following error:
Error in receiving certificate from the Certificate Authority.
I can get to the server fine from the ASA and pings work just fine...
Please help.! thanks!
03-23-2010 02:55 PM
You may want to check to see if an enrollment password is required. The default installation of Server 2008 NDES will default to requiring an OTP for each enrollment request. The URL to access this interface is usually http://[Server IP]/CertSrv/mscep_admin. You will then include the SCEP Challenge Password when defining and enrolling the trustpoint.
03-23-2010 02:58 PM
Ok you are right.
I am accesing the ASA via the ASDM. On this host that I am using to connect to the ASDM I opened up a web browser and I am able to go to the link:
http://ccie-dc/CertSrv/mscep_admin
and get the:
Now that I have this info where do I put this on to?
03-24-2010 07:13 AM
In ASDM 6.x, you will enter the challenge password during the initial configuration of the trustpoint. Go to Configuration->Remote Access VPN->Certificate Management->Identity Certificates. Click Add to configure a new trustpoint and select the "Add a new identity certificate" option. Under advanced, there will be three tabs. The "Enrollment Mode" tab is where you enter the SCEP URL and the "SCEP Challenge Password" tab is where you enter the OTP.
03-25-2010 04:32 PM
OK - forget the Windows 2008 server... I am not using that anymore...
I took an IOS router and configured it to be the CA server which works just fine. I was able to get the CA certs and have 2 ASAs enroll with it and was able to get the site to site up and running with certificates!
Now I am trying to do the same thing but via a Remote access VPN.
The problem that I have is that I have no idea how to get the CA certificate from the client PC where the vpn client is installed.. Any ideas?
Here is the config:
ip domain name ccielab.com
!
crypto pki server cakey
issuer-name CN=caserver.com L=TST C=US
lifetime crl 24
lifetime certificate 200
lifetime ca-certificate 365
cdp-url http://51.88.99.100/cisco1cdp.cisco1.crl
!
crypto pki trustpoint cakey
revocation-check crl
rsakeypair cakey
03-26-2010 10:14 AM
Hello.. any ideas someone ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide