Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1125
Views
0
Helpful
2
Replies

Cisco ASA Certificate Enrollment for Cisco IOS Router

peraocompany
Level 1
Level 1

‎07-01-2017 03:37 AM

Hello everyone. Meybe someone have know answer?

I need use webvpn with certificat authentification in Router.

I not whont use Microsoft CA!

Can I replase Microsoft CA on Cisco ASA (it have local CA)?

I try add configuraton:

crypto pki trustpoint CA

enrollment mode ra
enrollment url https://192.168.1.5/+CSCOCA+/enroll.html
serial-number
revocation-check none

Then I try authentificate and heve error:

dsec(config)#crypto pki authenticate CA
% Error: failed to open file.

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

Labels:
0 Helpful
2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-02-2017 09:53 PM

Make sure both devices are in time sync and there is no connectivity issue in between router and ASA as CA server.

Can you try to use
enrollment url http://192.168.1.5:80
and see if that helps.

If not, then run the following debugs to check why retrieval of CA certificate is failing:


debug crypto pki server
debug crypto pki transactions
debug crypto pki messages

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

peraocompany
Level 1
Level 1
In response to Dinesh Moudgil

‎07-03-2017 08:52 AM

Hello Dinesh.

Thank you for answer.

I update config, but it not help.

002115: Jul 3 18:03:52: CRYPTO_PKI: Sending CA Certificate Request:
GET /cgi-bin/pkiclient.exe?operation=GetCACert&message=CA HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.170.1


002116: Jul 3 18:03:52: CRYPTO_PKI: locked trustpoint CA, refcount is 1
002117: Jul 3 18:03:52: CRYPTO_PKI: http connection opened
002118: Jul 3 18:03:52: CRYPTO_PKI: Sending HTTP message

002119: Jul 3 18:03:52: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.170.1


002120: Jul 3 18:04:07: CRYPTO_PKI: Retry 1
002121: Jul 3 18:04:22: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
002122: Jul 3 18:04:22: CRYPTO_PKI: unlocked trustpoint CA, refcount is 0
002123: Jul 3 18:04:22: CRYPTO_PKI: status = 65535: failed to send out the pki message
002124: Jul 3 18:04:22: CRYPTO_PKI: transaction GetCACert completed

On ASA I see:

6 Jul 03 2017 18:02:17 302013 192.168.20.1 37558 192.168.170.1 80

Built inbound TCP connection 3274 for outside:192.168.20.1/37558 (192.168.20.1/37558) to identity:192.168.170.1/80 (192.168.170.1/80)
6 Jul 03 2017 18:02:47 302014 192.168.20.1 37558 192.168.170.1 80 Teardown TCP connection 3274 for outside:192.168.20.1/37558 to identity:192.168.170.1/80 duration 0:00:30 bytes 0 SYN Timeout

0 Helpful
Customers Also Viewed These Support Documents