12-24-2003 11:44 AM
As subject:
I've been trying to get PIX with MS SCEP working (6.2(2) and 6.3(x) code both exhibit the same error). All I get when trying to auth the CA server is the following:
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
msgsym(GETCARACERT, CRYPTO)!
%Error in connection to Certificate Authority: status = FAIL
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: WARNING: A certificate chain could not be constructued while selecting certificate status
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: WARNING: A certificate chain couold not be constructed while selecting certificate status
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not get decoded name
CRYPTO_PKI: transaction GetCACert completed
Crypto CA thread sleeps!
CI thread wakes up!
It connects via HTTP fine, as the webserver logs show what appears to be a correct GET request (/certsrv/mscep/mscep.dll) and the debug shows:
CRYPTO_PKI: http connection opened
Getting certs via web browser seems to work ok
Using IOS routers works fine (12.2.17) as well.
Only thing I can think of is maybe MS Update updatd SCEP to something that PIXies dont understand but routers do e.g. Like the Win2003 SCEP update with requires IOS 12.2.6 or greater.
Any thoughts, as this is really annoying me now
12-24-2003 10:18 PM
Hi,
PIX cannot retrieve root/ID certificate to a Microsoft CA
Enterprise server running as a subordinate.
If you're running one, try and run it as standalone CA.
thx
Afaq
12-25-2003 12:38 AM
Thanks for the idea, however it is already a standalone :(
I've managed to track some of the problem to a * char in the organisation name (Strange that routers accept it, and PIXies dont), and having rebuilt the CA without this issue how get the following error:
CRYPTO_PKI: http connection opened
CRYPTO_PKI: WARNING: A certificate chain couold not be constructed while selecting certificate status
CRYPTO_PKI: WARNING: A certificate chain couold not be constructed while selecting certificate status
msgsym(GETCARACERT, CRYPTO)!
%Error in connection to Certificate Authority: status = FAIL
CRYPTO_PKI: Can not get name ava count
CRYPTO_PKI: can not decode router sub name.
CRYPTO_PKI: transaction GetCACert completed.
I think this may be related to lack of CA name FQDN on the MS Certificate server side.
05-03-2004 03:08 AM
Gareth,
check your IIS configuration, especially Execute Permissions (should be Scripts and Executables!) and Application Protection (should be Low (IIS process)) in certsrv virtual directory.
That solved my problem ;)
BR, Rok
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide