On a PIX 515 with VPN and 3des enabled running Ver. 6.2(2)
PDM Ver. 2.1(1)
I'm having a config problem with the PIX and I'm hoping someone can help me out.The network setup is with the PIX inside as 192.168.1.2 and the caserver is a W2K Domain Controller connected to the PIX with IP 140.188.8.13 thru a cisco 2950 switch.
I completed the following commands connected to the PIX by laptop hyperterminal with some names and numbers changed for security reasons.
pix> enable
Password: *****
pix# show clock
07:51:08.331 UTC Tue Dec 3 2002
pix(config)# clock set 12:54:00 UTC Dec 3 2002
pix(config)# hostname pix
pix(config)# domain-name domain
pix(config)# ca generate rsa specialkey rsa 1024
For <key_modulus_size> >= 1024, key generation could
take up to several minutes. Please wait.
pix(config)# ca identity caserver 140.188.8.13://caserver/certsrv/mscep/mscep.dll
pix(config)# ca configure caserver ca 1 20 crloptional
pix(config)# show ca mypubkey rsa
% Key pair was generated at: 13:00:09 UTC Dec 3 2002
Key name: pix.domain.net
Usage: Encryption Key
Key Data: XXXXX
% Key pair was generated at: 13:00:06 UTC Dec 3 2002
Key name: pix.domain.net
Usage: Signature Key
Key Data: XXXXX
pix(config)# ca authenticate caserver
Certificate has the following attributes:
Fingerprint: xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
pix(config)# ca authenticate caserver (entered the above Fingerprint)
CIERR: The number of parameters is wrong!
Usage: ca generate rsa key|specialkey <key_modulus_size>
ca identity <ca_nickname> <ca_ipaddress | hostname>[:<ca_script_location
>]
[<ldap_ipaddress | hostname>]
ca configure <ca_nickname> ca|ra <retry_period> <retry_count>
[crloptional]
ca authenticate <ca_nickname> [<fingerprint>]
ca enroll <ca_nickname> <challenge_password> [serial] [ipaddress]
[no] ca save all
show ca certificate
show ca mypubkey rsa
ca zeroize rsa
pix(config)# ca authenticate caserver
Certificate has the following attributes:
pix(config)# d19 7cf71be7 f98c9d9e 9acb61c0
pix(config)# ca enroll caserver (password from mscep.dll page)
% No CA root cert exists. Use "ca authenticate"
pix(config)# quit
pix# quit
Logoff
I went thru this several times also by using the PDM interface. I Authenticate and view the certificate
and save it to the Trusted Root Folder.I then save to Flash and go to Enrollment. I enter the mscep
required password and enroll,but it fails with Error "PDM cannot proceed with enrollment since there is
no root certificate. Please complete Certificate Authentication before trying to enroll with the CA for
a new certificate." If I go back and re-enter all I get is the same error.I seem to be stuck in a loop.Any Ideas?
PDM Ver. 2.1(1)
I'm having a config problem with the PIX and I'm hoping someone can help me out.The network setup is with the PIX inside as 192.168.1.2 and the caserver is a W2K Domain Controller connected to the PIX with IP 140.188.8.13 thru a cisco 2950 switch.
I completed the following commands connected to the PIX by laptop hyperterminal with some names and numbers changed for security reasons.
pix> enable
Password: *****
pix# show clock
07:51:08.331 UTC Tue Dec 3 2002
pix(config)# clock set 12:54:00 UTC Dec 3 2002
pix(config)# hostname pix
pix(config)# domain-name domain
pix(config)# ca generate rsa specialkey rsa 1024
For <key_modulus_size> >= 1024, key generation could
take up to several minutes. Please wait.
pix(config)# ca identity caserver 140.188.8.13://caserver/certsrv/mscep/mscep.dll
pix(config)# ca configure caserver ca 1 20 crloptional
pix(config)# show ca mypubkey rsa
% Key pair was generated at: 13:00:09 UTC Dec 3 2002
Key name: pix.domain.net
Usage: Encryption Key
Key Data: XXXXX
% Key pair was generated at: 13:00:06 UTC Dec 3 2002
Key name: pix.domain.net
Usage: Signature Key
Key Data: XXXXX
pix(config)# ca authenticate caserver
Certificate has the following attributes:
Fingerprint: xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
pix(config)# ca authenticate caserver (entered the above Fingerprint)
CIERR: The number of parameters is wrong!
Usage: ca generate rsa key|specialkey <key_modulus_size>
ca identity <ca_nickname> <ca_ipaddress | hostname>[:<ca_script_location
>]
[<ldap_ipaddress | hostname>]
ca configure <ca_nickname> ca|ra <retry_period> <retry_count>
[crloptional]
ca authenticate <ca_nickname> [<fingerprint>]
ca enroll <ca_nickname> <challenge_password> [serial] [ipaddress]
[no] ca save all
show ca certificate
show ca mypubkey rsa
ca zeroize rsa
pix(config)# ca authenticate caserver
Certificate has the following attributes:
pix(config)# d19 7cf71be7 f98c9d9e 9acb61c0
pix(config)# ca enroll caserver (password from mscep.dll page)
% No CA root cert exists. Use "ca authenticate"
pix(config)# quit
pix# quit
Logoff
I went thru this several times also by using the PDM interface. I Authenticate and view the certificate
and save it to the Trusted Root Folder.I then save to Flash and go to Enrollment. I enter the mscep
required password and enroll,but it fails with Error "PDM cannot proceed with enrollment since there is
no root certificate. Please complete Certificate Authentication before trying to enroll with the CA for
a new certificate." If I go back and re-enter all I get is the same error.I seem to be stuck in a loop.Any Ideas?