Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1627
Views
5
Helpful
3
Replies

Windows 2008 CA Certificate Authority Enrollment generic error PKCS#7 vs PKCS#10

canero
Level 1
Level 1

‎02-09-2011 10:58 PM

Hello,

We are installing a Site-to-Site VPN using Certificates, and using Windows 2008 Certificate Authority for this purpose. After configuring and debugging we observe that with the debugs a PKCS#10 request is sent to the CA, and the return is PKCS#7 with errors.  What may be the cause of the problem? Does the CA need to send PKCS#10 format as well, or need some changes in the configuration. The same configuration works ok with a router as a CA,

The debug output is as follows:

Feb  9 21:00:32.502: ../cert-c/source/p7contnt.c(169) : E_DATA : generic data error *Feb  9 21:00:32.502: CRYPTO_PKI: status = 0x703(E_DATA : generic data error): pkcs7 verify data returned status *Feb  9 21:00:32.502: CRYPTO_PKI: status = 0x703(E_DATA : generic data error): failed to verify *Feb  9 21:00:32.502: CRYPTO_PKI: status = 0x703(E_DATA : generic data error): failed to process the inner content *Feb  9 21:00:32.502: %PKI-6-CERTFAIL: Certificate enrollment failed.

*Feb  9 21:00:32.502: CRYPTO_PKI: All enrollment requests completed for trustpoint TESTCAS.abc.lab.

*Feb  9 21:00:32.502: CRYPTO_PKI: All enrollment requests completed for trustpoint TESTCAS.abc.lab.

*Feb  9 21:00:32.502: CRYPTO_PKI: All enrollment requests completed for trustpoint TESTCAS.abc.lab.

*Feb  9 21:00:32.502: CRYPTO_PKI: All enrollment requests completed for trustpoint TESTCAS.abc.lab

Thanks in Advance,

Best Regards,

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎02-28-2011 01:45 PM

Hi,

Did you find resolution of this one?

I would be interested to see full debugs and config.

Marcin

0 Helpful

canero
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-01-2011 07:59 AM

Hello Marcin,

The solution was in fact turned out to be simple. i.e we left the IP Address of the DNS of the CA server as another IP. But in fact the CA on the Lab setup was also the Active Directory server. So after searching for 3 days the problem is resolved.

One error that we also met was that if the Memory usage for the IIS service is law, we may get similar errors. (Our Virtual Machine Memory is 1Gbyte, and the memory is 988Mbyte used). The system administrator also warned on this issue and we tried to use more memory,

Best Regards,

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to canero

‎03-01-2011 09:19 AM

Cool stuff!

I gave your post full marks, hopefully next people to stumble into this will find it useful ;-)

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents