Re: PIX 515E and Microsoft 2003 CA

rameshpillai · ‎01-20-2005

hi

i have cisco pix 515e Version 6.3(3) and w3k CA server with Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services

M trying to configure IKE and IPSEC

i have used following commands

ca identity itlca 192.168.201.15:/CERTSRV/mscep/mscep.dll

ca authenticate itlca

am able to ping from pix to the ca server

I cant figure out where the problem is how do i debug this situation to see where i am getting stuck

regds

Ramesh

frrosale · ‎01-20-2005

Hi Ramesh,

Good evening.

To enroll a PIX with a CA server you must obtain:

1.- A Root certificate (sometimes called CA certificate)

2.- An ID certificate.

To get the root cert we must authenticate with the CA server.

Three commands are needed:

ca identity .........

ca configure....

ca authenticate ......

Once you have the root cert, then you can enroll so you get the ID cert using SCEP.

This website will show you an example on how to get both certs for the firewall:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946c0.shtml#obtainpix

There are two things you should keep in mind while working with certs;

1.- Make sure you have a valid RSA key generated on the firewall. You must have both hostname and domain name and the issue this command:

ca generate rsa key xxxx

; where xxxx is the key modulus size

2.- Time and date between the firewall and the ca server must be syncronized or the authentication and enrollment process will fail.

Hope this helps.

milan.kulik · ‎01-21-2005

Don't forget you need

ca configure yourca ra ...

in your config.

If you use

ca configure yourca ca ...

the cert enrollment won't work wit Microsoft CA.

Regards,

Milan

rameshpillai · ‎01-21-2005

Still no ray of hopes.

I have tried most of the option mentioned in the above link as well as some other tricks all in vain.

I have deleted my Rsa key on the pix & generated it again and i have reinstalled my CA on Fresh W3k server.

how do i chk were i am failing is there no option to debug.

regds

ramp

milan.kulik · ‎01-21-2005

Hi,

which step exactly fails?

1)Do you see CA certificate via sh ca cert on your PIX after the ca authenticate ... command issued?

2) Do you see the certificate request coming to your CA after the ca enroll ... command?

3) Do you see the PIX certificate installed on your PIX after releasing it on your CA?

Check the steps in http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm#wp1037380

You can debug on your PIX using

debug crypto ca

command on the PIX console (see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm#wp1037380)

Regards,

Milan

ruzickaj · ‎06-23-2005

I have the same problem...

I thing that the problem is, that there is no mscep.dll on the 2003 CA server 192.168.201.15:/CERTSRV/mscep/mscep.dll in the command "identity ca_nickname ca_ipaddress [:ca_script_location] [ldap_ip address]" and thus cannot get CA certificate with command ca authenticate - there is no CA certificate and debug says:

PIX(config)# ca authenticate netmon.company.cz

CI thread sleeps!

Crypto CA thread wakes up!

PIX(config)# ttp connection opened

CRYPTO_PKI: status = 266: failed to verify

CRYPTO_PKI: transaction GetCACert completed

Crypto CA thread sleeps!

It works hopefully on Win2000 CA, but not on Win2003 CA, on 2003 there is no directory /certsrv/mscep

I can't find proper CA script location in Microsoft documentation....

can anyone help us

Thanks a lot