Microsoft CA and PIX enroll

[nexialist]

I have following problem:
I set everything in PIX as it schould be:
ca generate rsa 512
ca identity kapic.x.x 10.x.x.x:certsrv/mscep/mscep.dll
ca configure kapic.x.x ra 1 20 crloptional
ca authenticate kapic.x.x [Fingerprint]

but when it gets to
ca enroll kapic.x.x [Password]
I get : % No CA root cert exists. Use "ca authenticate"

I set up CA on 2003 server OK, installed mscep.dll ...

Tried everything but no result, always same mistake.
But I found one interesting thing:
If I want to access

http://serverIP/certsrv/mscep/mscep.dll

i get no answer but when I type in

http://serverHOSTNAME/certsrv/mscep/mscep.dll

I imidiatly get connected.

In PIX I can set up CA only by IP not HOSTname, could that be the problem???

Thank you

 

[kuon]

You need save your certificate on pix

 

[nexialist]

Hi kuon,

can you tell me a bit more, please!
I mean more details!
Thank you!

 

[talphius]

When we setup Certificate services on our 3 pix's here, we used "ca authenticate <name>" without the fingerprint specified, as with that command I could never get that to work.

After you do that comamnd you should see the CA fingerprint displayed, and it should match what you see when you browse to "

http://<CA

server>/certsrv/mscep/mscep.dll" (the first line after the welcome message).

I'm kind of concerned that you can't browse to the CA server by IP address. I would definately look into that problem, as the PIX will be communicating by IP only. (can you get to "

http://<ip>/certsrv"?

 

[nexialist]

Hello talphius,

Sorry for my late answer but I wasn't in the office for a couple of weeks.
But I also found that I can not browse by IP address, only by host name.
This is a 2003 server CA! And aperantlly it has made some kind of virtual server while installing CA on IIS.

Enyone any idea what to do on IIS to allowe browsing by IP?

Thanks guys,

Kind regards,