Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help wiht Microsoft CA and PIX

Status
Not open for further replies.
kuon

kuon

Technical User
Jul 13, 2003
23
RU
I need create authentification with PIX and User using CA.
I install CA on Microsoft Advanced Server 2000 as Stand Alone Root (no Active Directory, only 2 computers and PIX).
I find on cisco.com example-Configuring PIX Firewall for a Microsoft Certificate.
I do all as in example, but in step where
ca authenticate abcd
pix say: Fingerprint: deb5647b 3bf68599 6436ecc1 3de08564
then I do
ca enroll abcd cisco
and pix say:
% No CA root cert exists. Use "ca authenticate".
I dont understend what I do wrong?
Please help and sorry for my english.
 
Sort by date Sort by votes
Somebody please help :(. I try do this agin and agin and in result only fingerprint. What I do wrong ?
 
Upvote 0 Downvote
HI.

> ca authenticate abcd
> pix say: Fingerprint: deb5647b 3bf68599 6436ecc1 3de08564
I think that you should approve the fingerprint.
The pix is asking you to compare the key to what you got from the CA administratort by other means (email/fax/phone) to avoid spoofing the key and trusting the wrong root...
Since you are the CA administrator yourself and you're doing it using direct connection to the CA server, you can simply approve the key you got, maybe like this:
ca authenticate abcd deb5647b 3bf68599 6436ecc1 3de08564
I'm not sure about the command, but the idea is to approve the root key.

At the end you should:
ca save all


Yizhar Hurwitz
 
Upvote 0 Downvote
ca auth abcd deb5647b3bf685996436ecc13de08564

Certificate has the following attributes:

pixfirewall(config)# 3bf68599 6436ecc1 3de08564
if I do ca auth abcd deb5647b

Certificate has the following attributes:

Fingerprint: deb5647b 3bf68599 6436ecc1 3de08564
% Error in verifying the received fingerprint.
pixfirewall(config)# ca auth abcd deb5647b 3bf68599 6436ecc1 3de08564
CIERR: The number of parameters is wrong!
I find example for routers where if fingerprint not match PIX say that somthing wrong.
My PIX dosent get this massage. What do next I dont know
sh ca cert - is empty.
 
Upvote 0 Downvote
I do as you say and:
ca auth abcd deb5647b 3bf68599 6436ecc1 3de08564
CIERR: The number of parameters is wrong!
I try use:
ca auth deb5647b 3bf68599 6436ecc1 3de08564
CIERR: The number of parameters is wrong!
and:
ca auth deb5647b3bf685996436ecc13de08564
CIERR: CA Identity --<ca_nickname>-- is unknown!

I start Network Monitor and find this:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=abcd HTTP/1.0 ®^§ &quot; &quot; PT&Q &Agrave;&¬t E v@ ˆ&p&Agrave;&&Egrave;&THORN;&Agrave;&&Egrave;&Iacute; P&Auml;“&THORN;&,&#382;yPD&#144;& HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Mon, 28 Jul 2003 10:27:04 GMT Content-Length: 3243 Content-Type: text/html
I try find him, but - no file pkiclient.exe on CA srever.
What may I do now ?
 
Upvote 0 Downvote
Yes you was right :). I install mscep.dll and receve certificate on PIX. But now I cant create connection between VPN client 3.6 and PIX using certificates. In Log on VPN client I have message:
11:57:02.264 08/04/03 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed &quot;CM_IKE_ESTABLISH_FAIL&quot; (3h).
On PIX one string is not present on example and I dont know what can I do:
CRYPTO_CA: certificate not found
I think somthing wrong but what I dont know.
 
Upvote 0 Downvote
In debug I have:


CRYPTO_PKI: All enrollment requests completed.
CRYPTO_PKI: All enrollment requests completed.
Insert Selfsigned Certificate:
30 82 01 bf 30 82 01 69 02 20 66 63 33 37 39 37 63 37 62 64
34 30 31 30 30 31 30 31 63 32 66 35 38 37 35 39 61 37 34 65
61 35 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 5b 31
59 30 0f 06 03 55 04 05 13 08 31 63 39 65 38 33 37 31 30 1f
06 03 55 04 03 13 18 70 69 78 66 69 72 65 77 61 6c 6c 2e 69
63 6c 2e 6b 61 7a 61 6e 2e 72 75 30 25 06 09 2a 86 48 86 f7
CI thread sleeps!
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status

Certificate has the following attributes:

Fingerprint: 035678cd 5528daae ccf57c59 dd4f5ce4
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
Crypto CA thread sleeps!
CI thread wakes up!
CRYPTO_PKI: Name: CN = yuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CI thread sleeps!
Crypto CA thread wakes up!
CI thread wakes up!
CRYPTO_PKI: Name: CN = yuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: transaction PKCSReq completed
CRYPTO_PKI: status:
Crypto CA thread sleeps! Fingerprint: 2a7e47df a2989b1e 5941e634 733c5938

CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 652 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecti
ng CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 46 9d a5 15 37 ba 5c 35 f1 a0 a8 b9 77 52 bd 64
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 66 63 33 37 39 37 63 37 62 64 34 30 31 30 30 31 30 31
63 32 66 35 38 37 35 39 61 37 34 65 61 35
CRYPTO_PKI: status = 102: certificate request pending
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 652 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecti
ng CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 ae 44 2a 4e 62 e0 54 39 ba 78 4a 72 df f5 ac f2
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 66 63 33 37 39 37 63 37 62 64 34 30 31 30 30 31 30 31
63 32 66 35 38 37 35 39 61 37 34 65 61 35
CRYPTO_PKI: status = 102: certificate request pending
CRYPTO_PKI: All sockets are closed.
CRYPTO_PKI: All sockets are closed.
Crypto CA thread wakes up!
CRYPTO_PKI: resend GetCertInitial, 2
Crypto CA thread sleeps!
CRYPTO_PKI: resend GetCertInitial for session: 0
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 2077 bytes
CRYPTO_PKI: Error: Certificate, private key or CRL was not found while selecting certificate chain
-!!!!!!!!! I think in this string my problem, what I can do with it?
CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13
The certificate has been granted by CA!
01 30
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 ae 44 2a 4e 62 e0 54 39 ba 78 4a 72 df f5 ac f2
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 66 63 33 37 39 37 63 37 62 64 34 30 31 30 30 31 30 31
63 32 66 35 38 37 35 39 61 37 34 65 61 35
CRYPTO_PKI: status = 100: certificate is granted
CRYPTO_PKI: Error: Certificate, private key or CRL was not found while selectin
g certificate chain

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status

CRYPTO_PKI: All enrollment requests completed.
CRYPTO_PKI: All enrollment requests completed.
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecti
ng CRL

CRYPTO_CA: certificate not found
CRYPTO_CA: certificate not found
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 1191 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecti
ng CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 30
CRYPTO_PKI: signed attr: pki-transaction-id:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 02 cb 0a c1 a1 d7 50 9f 6a 8c f8 e1 9f c3 ae 94
CRYPTO_PKI: status = 100: certificate is granted
CRYPTO_PKI: the current router time: 18:57:31 MSK/MDD Aug 4 2003

CRYPTO_PKI: the last CRL update time: 18:24:01 MSK/MDD Aug 4 2003
CRYPTO_PKI: the next CRL update time: 19:59:01 MSK/MDD Aug 4 2003
CRYPTO_PKI: set CRL update timer with delay: e6a
CRYPTO_PKI: status = 105: poll CRL successful
CRYPTO_PKI: transaction GetCRL completed
Crypto CA thread sleeps!
CI thread wakes up!
CRYPTO_CA: certificate not found
CRYPTO_CA: certificate not found
CRYPTO_CA: certificate not found
CRYPTO_PKI: Name: CN = yuki, C = US
 
Upvote 0 Downvote
In debug I have:


CRYPTO_PKI: All enrollment requests completed.
CRYPTO_PKI: All enrollment requests completed.
Insert Selfsigned Certificate:
30 82 01 bf 30 82 01 69 02 20 66 63 33 37 39 37 63 37 62 64
34 30 31 30 30 31 30 31 63 32 66 35 38 37 35 39 61 37 34 65
61 35 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 5b 31
59 30 0f 06 03 55 04 05 13 08 31 63 39 65 38 33 37 31 30 1f
06 03 55 04 03 13 18 70 69 78 66 69 72 65 77 61 6c 6c 2e 69
63 6c 2e 6b 61 7a 61 6e 2e 72 75 30 25 06 09 2a 86 48 86 f7
CI thread sleeps!
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status

CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status

Certificate has the following attributes:

Fingerprint: 035678cd 5528daae ccf57c59 dd4f5ce4
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
Crypto CA thread sleeps!
CI thread wakes up!
CRYPTO_PKI: Name: CN = yuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CI thread sleeps!
Crypto CA thread wakes up!
CI thread wakes up!
CRYPTO_PKI: Name: CN = yuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: Name: CN = rootyuki, C = US
CRYPTO_PKI: transaction PKCSReq completed
CRYPTO_PKI: status:
Crypto CA thread sleeps! Fingerprint: 2a7e47df a2989b1e 5941e634 733c5938

CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 652 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecti
ng CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 46 9d a5 15 37 ba 5c 35 f1 a0 a8 b9 77 52 bd 64
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 66 63 33 37 39 37 63 37 62 64 34 30 31 30 30 31 30 31
63 32 66 35 38 37 35 39 61 37 34 65 61 35
CRYPTO_PKI: status = 102: certificate request pending
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 652 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecti
ng CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 ae 44 2a 4e 62 e0 54 39 ba 78 4a 72 df f5 ac f2
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 66 63 33 37 39 37 63 37 62 64 34 30 31 30 30 31 30 31
63 32 66 35 38 37 35 39 61 37 34 65 61 35
CRYPTO_PKI: status = 102: certificate request pending
CRYPTO_PKI: All sockets are closed.
CRYPTO_PKI: All sockets are closed.
Crypto CA thread wakes up!
CRYPTO_PKI: resend GetCertInitial, 2
Crypto CA thread sleeps!
CRYPTO_PKI: resend GetCertInitial for session: 0
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 2077 bytes
CRYPTO_PKI: Error: Certificate, private key or CRL was not found while selecting certificate chain
-!!!!!!!!! I think in this string my problem, what I can do with it?
CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13
The certificate has been granted by CA!
01 30
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 ae 44 2a 4e 62 e0 54 39 ba 78 4a 72 df f5 ac f2
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 66 63 33 37 39 37 63 37 62 64 34 30 31 30 30 31 30 31
63 32 66 35 38 37 35 39 61 37 34 65 61 35
CRYPTO_PKI: status = 100: certificate is granted
///////////////////////////////////////////////////////
CRYPTO_PKI: Error: Certificate, private key or CRL was not found while selecting certificate chain
I think this is my problem, but what I do wrong I dont know
///////////////////////////////////////////////////////
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selectin
g certificate status

CRYPTO_PKI: All enrollment requests completed.
CRYPTO_PKI: All enrollment requests completed.
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecti
ng CRL

CRYPTO_CA: certificate not found
CRYPTO_CA: certificate not found
CI thread sleeps!
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 1191 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while selecti
ng CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 30
CRYPTO_PKI: signed attr: pki-transaction-id:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 02 cb 0a c1 a1 d7 50 9f 6a 8c f8 e1 9f c3 ae 94
CRYPTO_PKI: status = 100: certificate is granted
CRYPTO_PKI: the current router time: 18:57:31 MSK/MDD Aug 4 2003

CRYPTO_PKI: the last CRL update time: 18:24:01 MSK/MDD Aug 4 2003
CRYPTO_PKI: the next CRL update time: 19:59:01 MSK/MDD Aug 4 2003
CRYPTO_PKI: set CRL update timer with delay: e6a
CRYPTO_PKI: status = 105: poll CRL successful
CRYPTO_PKI: transaction GetCRL completed
Crypto CA thread sleeps!
CI thread wakes up!
CRYPTO_CA: certificate not found
CRYPTO_CA: certificate not found
CRYPTO_CA: certificate not found
CRYPTO_PKI: Name: CN = yuki, C = US
 
Upvote 0 Downvote
Did you get a certificate for the pix itself from the CA server?
Yes I issue certificat on CA when he appear there.
I use PDM and in tab VPN-certificate-enrollement.
I enter password and check PIX serial number and ip address.
After that I push button Enroll PIX with the CA.
In console I on debug and get informaton, thats I write here in my previos post.
I dont understand message:
CRYPTO_CA: certificate not found
Its good or bad? I search something that can me help with its in cisco.com but nothing :(.

When I try to create connection between VPN client 3.6 and PIX using certificate, in log on VPN client I recieve:
GI VPNStart callback failed &quot;CM_IKE_ESTABLISH_FAIL&quot; (3h).

But I create preferance for certification connection with VPN wizard.
 
Upvote 0 Downvote
Yes, I create certificate with Certificate manager, and enroll him on CA server.
After I import certificate in to VPN client. Certificate has fooloving attributes: pix(cisco).
 
Upvote 0 Downvote
I compare my ISAKMP log and log in the example and find that
in my log in all attemts I have:
ISAKMP: encryption AES-CBC
but in config for isakmp I do:
vpngroup cert address-pool 12
isakmp policy 20 authen rsa-sig
isakmp policy 20 encrypt des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp enable security
access-list security_cryptomap_dyn_20 permit ip any 192.168.200.240 255.255.255.252
crypto dynamic-map security_dyn_map 20 match address security_cryptomap_dyn_20
crypto dynamic-map security_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map security_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map security_map 65535 ipsec-isakmp dynamic security_dyn_map
crypto map security_map interface security
sysopt connection permit-ipsec


In example :
ISAKMP: encryption DES-CBC

May be my problem in this ?
 
Upvote 0 Downvote
Yes you wright. I havent license for 3DES, and I cant create coonection.
Thank you :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
329
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
68
tklamb
tklamb
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
209
Nitta84
Nitta84

Part and Inventory Search

Sponsor

Back
Top