02-04-2004 10:09 PM
When I first success install and configuring the CA server(win2k advanced) and SCEP, My PIX535 could getting the certificate and enroll to CA successful.
But when I reinstall the CA program and SCEP, My PIX535 could get the certificate from CA server too, but couldn't enroll to the CA server. It says no CA root cert exist. even I try lots of times. Bellow are the procedures for example:
PIX535(config)# ca id myca 172.16.1.2:/certsrv/mscep/mscep.dll
PIX535(config)# ca config myca ra 1 5
PIX535(config)# ca authen myca
#then I went to my CA links: 172.16.1.2:/certsrv/mscep/mscep.dll£¬input the username and password to get the password: xxxx
PIX535(config)# ca enroll myca xxxx
% No CA root cert exists. Use "ca authenticate"
#retrys,to get another password: xxxx
PIX535(config)# ca enroll myca xxxx
% No CA root cert exists. Use "ca authenticate"
PIX535(config)# sh ca cert
CA Certificate
Status: Available
Certificate Serial Number: xxxx
Key Usage: Signature
CN = MYNET
OU = MYNETWORK
O = NETWORK
L = HANGZHOU
ST = ZHEJIANG
C = CN
EA =<16> JACKY@HZCNC.COM
Validity Date:
start date: 01:54:56 Beijing Feb 6 2004
end date: 02:04:56 Beijing Feb 6 2005
CA Certificate
Status: Available
Certificate Serial Number: xxxx
Key Usage: Encryption
CN = MYNET
OU = MYNETWORK
O = NETWORK
L = HANGZHOU
ST = ZHEJIANG
C = CN
EA =<16> JACKY@HZCNC.COM
Validity Date:
start date: 01:54:56 Beijing Feb 6 2004
end date: 02:04:56 Beijing Feb 6 2005
CA Certificate
Status: Available
Certificate Serial Number: xxxx
Key Usage: Signature
CN = MYNET
OU = MYNETWORK
O = NETWORK
L = HANGZHOU
ST = ZHEJIANG
C = CN
EA =<16> JACKY@HZCNC.COM
Validity Date:
start date: 01:42:41 Beijing Feb 6 2004
end date: 01:46:25 Beijing Feb 6 2006
PIX535# sh ca mypub rsa
% Key pair was generated at: 09:20:43 Beijing Feb 5 2004
Key name: PIX535.MYNET.COM
Usage: General Purpose Key
Key Data:
xxxxx
% Key pair was generated at: 10:32:46 Beijing Feb 5 2004
Key name: PIX535.MYNET.COM.server
Usage: Encryption Key
Key Data:
xxxxxx
tell me what's the problems? thank you very much.
03-19-2004 09:46 AM
Hi,
have you used the Microsoft Enteprise CA or the standalone CA?
Thanks
Chiara
08-21-2004 05:26 PM
Were you ever able to get this working? I have the exact smae problem but cannot fix it.
I have been able to enroll for my certificates on the PIX and on the client but still get the "remote peer no longer responding".
If you were able to solve this I hope you will tell me how.
HELP!!!
09-13-2004 08:10 AM
Hi ,
I've the same problem.
I'm using the Windows2003 version you mentioned but still receiving the error
NO ROOT CA CERT EXISTS
do you have any idea ?
09-13-2004 10:39 PM
The problem was not solved so far, I have ever opened a case for this, but not been solved yet, Case does not know what reason has been closed , I am so sad .
09-14-2004 05:17 AM
I opened a ticket and the tech DID solve the problem for me. Perhaps you could refer the tech you are working with to my ticket 600452063 for the solution. If I correctly understand the changes made by the tech on my PIX, I had to upgrade the encryption to aes or 3des in order to get certificates to work.
I've attached the relevant protion of my config.
09-14-2004 06:12 AM
are you using an enterprise CA or a standalone CA ?
thanks
Stefano Colombo
09-14-2004 07:06 AM
Stand-alone CA which I believe is required. You also need SCEP installed in the form of MSCEP.DLL. There is a post higher up in this thread with a link to info about this. I am using W2000 so I don't know much detail about it in W2003.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide