VPN with certificates from microsoft CA ... any ideas ??

dean_holroyd · ‎09-09-2003

Alright

I have been trying to set up a vpn using digital certificates to authenticate the devices (PIX). I am using microsoft certificate services with the mscep.dll add on. When I try to enroll a certificate I get this :

pix1(config)# ca generate rsa key 512

Keypair generation process begin.

.Success.

pix1(config)# ca identity CA 10.0.0.20:/certsrv/mscep/mscep.dll

pix1(config)# ca configure CA ra 1 20 crloptional

pix1(config)# ca authenticate CA

Certificate has the following attributes:

Fingerprint: 1c93454b 263051d8 b4fd283f 6e3044ac

pix1(config)# ca enroll CA cisco

%

% Start certificate enrollment ..

% The subject name in the certificate will be: pix1.companyname.com

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

pix1(config)# Fingerprint: 4595bd93 396f425c 03a68138 7a6b4c23

The certificate enrollment request was denied by CA!

Any ideas why this does not work. There is no security that stops access to the CA.

Cheers

Dean

dean_holroyd · ‎09-09-2003

no replies ...... oh well !

I have solved the problem myself. If anybody has the same problem I got round it be unchecking the automatic enrollment option during cepsetup. I can now enroll certificates, but I have to issue them manually from certserv's pending folder.

cheers

gbbromley · ‎12-24-2003

When you do ca enroll you dont type in any old passwd, you type in the 'password' that the web page tells you to use - The one thats only valid for about 60 mins and is a HEX string.