06-30-2014 10:12 PM
I've got simple lab for testing PKI:
198.0.0.1 - server
ip http server ip http port 8080 ntp master 1 crypto key generate rsa general-keys label MAIN-CA modulus 1024 exportable crypto pki server MAIN-CA database url nvram: issuer-name CN=MAIN-CA.lab.local L=BLG C=RU lifetime ca-certificate 365 lifetime certificate 365 lifetime crl 24 cdp-url http://198.0.0.1:8080/main-ca.cdp.main-ca.crl no shutdown
198.0.0.2 and 3 - clients (I want encrypted tunnel between them)
ntp server 198.0.0.1 crypto key generate rsa general-keys label CLIENT-CA modulus 1024 crypto ca trustpoint CLIENT-CA enrollment url http://198.0.0.1:8080 revocation-check none rsakeypair CLIENT-CA crypto ca authenticate CLIENT-CA crypto ca enroll CLIENT-CA crypto isakmp policy 1 encr aes crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac crypto ipsec profile CRYPTO-PROFILE set transform-set AES256-SHA interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 198.0.0.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile CRYPTO-PROFILE
Then I do
crypto pki server MAIN-CA grant 1 crypto pki server MAIN-CA grant 2
And everything if fine when clients are like this:
crypto ca trustpoint CLIENT-CA revocation-check none
But when I do
revocation-check crl
I got messages (debug crypto pki transactions):
Jul 1 14:33:40.280: CRYPTO_PKI: Trust-Point CLIENT-CA picked up Jul 1 14:33:40.280: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 1 14:33:40.280: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 1 14:33:40.280: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 1 14:33:40.468: CRYPTO_PKI: Found a issuer match Jul 1 14:33:40.480: CRYPTO_PKI: Retreive CRL using HTTP URI Jul 1 14:33:40.480: CRYPTO_PKI: status = 0: poll CRL Jul 1 14:33:40.484: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 1 14:33:40.484: CRYPTO_PKI: can not resolve server name/IP address Jul 1 14:33:40.484: CRYPTO_PKI: Using unresolved IP Address 198.0.0.1 Jul 1 14:33:40.512: CRYPTO_PKI: http connection opened Jul 1 14:33:40.516: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 1 14:33:40.516: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 1 14:33:40.584: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 1 14:33:40.584: CRYPTO_PKI: HTTP response header: HTTP/1.1 404 Not Found Date: Tue, 01 Jul 2014 14:33:40 GMT Server: cisco-IOS Accept-Ranges: none Jul 1 14:33:40.588: E ../cert-c/source/crlobj.c(384) : Error #705h Jul 1 14:33:40.592: CRYPTO_PKI: status = 1797: failed to set crl ber Jul 1 14:33:40.592: CRYPTO_PKI: transaction Unknown completed Jul 1 14:33:40.592: CRYPTO_PKI: Poll CRL callback Jul 1 14:33:40.592: CRYPTO_PKI: Blocking chain verification callback received status: 105 Jul 1 14:33:40.596: CRYPTO_PKI: Certificate not validated Jul 1 14:33:40.600: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 198.0.0.2 is bad: certificate invalid
So... what's wrong?
07-01-2014 04:28 AM
Strange...are you running this in a lab with physical equipment or is this in a GNS3 virtual lab? If it is a virtual lab then I suggest copying out your config and then rebuild your setup and see if that helps.
Other than that, your config looks fine.
--
Please remember to select a correct answer and rate helpful posts
07-03-2014 10:41 AM
Didn't help. It was GNS, then I copied it on physical devices and nothing changed. I'm still getting 404. Also I checked
show crypto pki crls
and I'm getting blank, and:
R2(config)#crypto pki crl request CLIENT-CA Jul 3 17:09:50.059: %PKI-4-CRLHTTPFETCHFAIL: CRL Request for trustpoint "CLIENT-CA" returned 404 Not Found
It seems I'm doing something wrong...
07-03-2014 11:10 AM
do you get any output from the following command on the CA server?
crypto pki server ese-ios-ca info crl
--
Please remember to select a correct answer and rate helpful posts
07-03-2014 01:30 PM
#crypto pki server MAIN-CA info crl Certificate Revocation List: Issuer: cn=MAIN-CA.lab.local L\=BLG C\=RU This Update: 06:17:02 UTC Jul 4 2014 Next Update: 07:17:02 UTC Jul 4 2014 Number of CRL entries: 0 CRL size: 238 bytes
And when I revoked one of the granted certificates, I got:
#crypto pki server MAIN-CA info crl Certificate Revocation List: Issuer: cn=MAIN-CA.lab.local L\=BLG C\=RU This Update: 06:23:41 UTC Jul 4 2014 Next Update: 07:23:41 UTC Jul 4 2014 Number of CRL entries: 1 CRL size: 261 bytes Revoked Certificates: Serial Number: 0x01 Revocation Date: 06:23:41 UTC Jul 4 2014
So revokation list is fine. But noone can get it.
07-05-2014 01:23 AM
hmm...odd.
I would need to lab your setup to see what results I get. Will try to do that tonight.
--
Please remember to select a correct answer and rate helpful posts
07-06-2014 02:26 AM
Ok, found it. Kind of typo. Don't remember where I get it but this part of client's config wrong:
crypto ca trustpoint CLIENT-CA enrollment url http://198.0.0.1:8080 revocation-check none rsakeypair CLIENT-CA crypto ca authenticate CLIENT-CA crypto ca enroll CLIENT-CA
it should be like this:
crypto pki trustpoint CLIENT-CA enrollment url http://198.0.0.1:8080 revocation-check none rsakeypair CLIENT-CA crypto pki authenticate CLIENT-CA crypto pki enroll CLIENT-CA
Anyway, thanks for helping.
07-08-2014 05:27 AM
Nice! glad you got it sorted
07-08-2014 10:44 AM
Nope. That wasn't the cause.
Now it works in both variants - with "crypto pki" and "crypto ca". Don't know why. It... just started to work. I did the same steps and get HTTP 200 OK.
So... I'll post if I find out something new.
07-11-2014 02:15 AM
I've finally got the exact steps for my error to appear. All configs are the same. So I'm creating pki server and trustpoint on client. Then I authenticate and enroll. At this moment I can see client's request on server:
#crypto pki server MAIN-CA info requests Enrollment Request Database: Subordinate CA certificate requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- RA certificate requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- Router certificates requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- 1 pending 4B8AF9BDD3E6D3ED59AED4CF0C8100CB hostname=client.lab.local
And also at this moment I can successfully request CRL on client:
#crypto pki crl request CLIENT-CA
Then I do
#crypto pki server MAIN-CA grant 1
I still can request CRL. But when I get this debug on client (debug crypto pki transactions), I'm start getting 404 errors:
Jul 11 18:54:00.933: CRYPTO_PKI: resend GetCertInitial, 2 Jul 11 18:54:00.933: CRYPTO_PKI: All sockets are closed for trustpoint CLIENT-CA. Jul 11 18:54:00.933: CRYPTO_PKI: resend GetCertInitial for session: 0 Jul 11 18:54:00.937: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 11 18:54:00.937: CRYPTO_PKI: can not resolve server name/IP address Jul 11 18:54:00.937: CRYPTO_PKI: Using unresolved IP Address 198.0.0.1 Jul 11 18:54:00.997: CRYPTO_PKI: http connection opened Jul 11 18:54:02.001: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 11 18:54:02.081: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1 Jul 11 18:54:02.273: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0 Jul 11 18:54:02.273: CRYPTO_PKI: received msg of 1680 bytes Jul 11 18:54:02.277: CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OK Date: Fri, 11 Jul 2014 18:54:02 GMT Server: cisco-IOS Content-Type: application/x-pki-message Expires: Fri, 11 Jul 2014 18:54:02 GMT Last-Modified: Fri, 11 Jul 2014 18:54:02 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Accept-Ranges: none Jul 11 18:54:02.337: The PKCS #7 message has 1 verified signers. Jul 11 18:54:02.337: signing cert: issuer=cn=MAIN-CA.lab.local L\=BLG C\=RU1 Jul 11 18:54:02.337: Signed Attributes: Jul 11 18:54:02.337: CRYPTO_PKI: status = 100: certificate is granted Jul 11 18:54:02.389: The PKCS #7 message contains 1 certs and 0 crls. Jul 11 18:54:02.401: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment Jul 11 18:54:02.401: Newly-issued Router Cert: issuer=cn=MAIN-CA.lab.local L\=BLG C\=RU serial=2 Jul 11 18:54:02.401: start date: 18:53:42 UTC Jul 11 2014 Jul 11 18:54:02.401: end date: 18:50:24 UTC Jul 11 2015 Jul 11 18:54:02.401: Router date: 18:54:02 UTC Jul 11 2014 Jul 11 18:54:02.401: Received router cert from CA Jul 11 18:54:02.401: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment Jul 11 18:54:02.409: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA. Jul 11 18:54:02.409: %PKI-6-CERTRET: Certificate received from Certificate Authority Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA. Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA. Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.
So as soon as the enrollment is complete and certificate if recieved I can no longer request CRL.
And I'm still need help with this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide