Re: PIX VPN with Microsoft CA

spalislam · ‎04-22-2004

I have a problem getting my pix to authenticate and enroll with MS CA. I get strange error messages.

Here is the attachment:

Any help is appreciated. Thanks,

sp

d-garnett · ‎04-23-2004

Make sure that you RA is setup properly

make sure that you have a good version of MSCEP.DLL and make sure that it has been registered with IIS.

I have ran into issues once with a bad version of CEPSETUP where pkiclient.exe would not execute to download the certificate when enrolling . I have had most success with Windows 2003.

also you need to use the CA's fingerprint (from it's public key) when authenticatiing the PIX to it.

ca authenticate ca_nickname [fingerprint]

a great link

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a00800898d9.html

spalislam · ‎04-23-2004

I will check it when go to work. However, just the side not, the actuall CA is working fine via Web Interface.

For example, I was able to get/download and install certificate for Etoken USB device. It works just fine. However, that is done through /certsrv directly.

Thanks for the links.

I'll give it try again.

d-garnett · ‎04-23-2004

Your Welcome. Also this may help. It's primarily for IOS routers but the CA/RA setup will apply for either case.

scroll down to the section called "Configuring Certificate-Based VPN Connections (Cisco, SCEP, Windows 2003 Server)"

http://www.getconnected-it.com/infoarch.html

spalislam · ‎04-26-2004

I still could not get it to work. Where do I find fingerprint value.

There is thumbprint value in the certificate, but it is to long. Even with that option, it still fails.

sp