CA AUTH failure 266

[npwrz]

I am having trouble getting the public key from a Microsoft CA (Windows 2000) to the PIX using the ca auth command.

The debug cry ca output is:

CI thread sleeps!
Crypto CA thread wakes up!
XXXX-PIX(config)# nnection opened
CRYPTO_PKI: status = 266: failed to verify
CRYPTO_PKI: transaction GetCACert completed
Crypto CA thread sleeps!
CI thread wakes up!

Then nothing. I have waited for the public key to be installed but it never does. Over 30 mins.

I have checked the URL in the ca ident command and it checks.

Any ideas? Surely this is not a unique problem.

I'm guessing that the problem is with the CA server, but can not find out what the problem is.

Thanks for anyone's advice!

 

[npwrz]

Problem solved:

The CA server was misconfigured.

When generating the RSA key on the PIX, make sure its' size is 512.

When installing the Microsoft CA server, go into the advanced settings and set the keys to 512 and Microsoft Base encryption provider.

When installing the mscep.dll, again go into the advanced settings and ensure that the key size is 512 and the MS Base encryption provider is selected. The default sizes on the CA server are 2048.

Then, verify you have it set up correctly by

http://<server

URL>/certsrv/mscep/mscep.dll and see if you get the one time use password for cisco enrollment.

Then it all worked right out of the book.