Hi Ben,
Thanks for your response. I haven't reloaded the CA. Here's some info'
from some show commands. Not sure if it's any help in figuring this out,
or if this is a weird GNS thing and therefore a moot cause. Weird thing is
that routers can authenticate and enroll with the CA just fine. Only ASAs
enrollments fail.
*IOS CA:*
R1#sho cryp key mypubkey rsa
% Key pair was generated at: 00:03:40 UTC Mar 1 2002
Key name: R1
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D10F6F
DB59F2B1 56F97B34 85608D1C AFBE91D3 6C8F88DC 62A82ADF 2AE105A6 B7D5D43B
B7B958B8 BB80DC60 555E460F C2D84397 72A05506 A2C8621D 0A79C6DA 920A2D0C
D485DCD2 3784A911 8626AC32 F96ABA13 D273986F 622BAD8D 9ECAC9FA BD1FB262
FC599E4F 4E47AB28 D5C0FA11 A578B7C6 AEDA3FA1 87FC9D43 47A173C3 6D020301
0001
% Key pair was generated at: 02:03:43 UTC Mar 1 2002
Key name: R1.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B2D6C9 45940F97
0822D4DA 0C59BF12 367E1F21 8EEE75D3 AB2EB94A FB54FBE7 E7D6E0F5 CDB3EE75
9F5D9A91 7DA31A2E F75863D3 1AF6EC38 156DA91E 6FA83DEA 48384CF8 9823A14E
AAEDDAA2 A6089EAC 8EF35C34 70A31F68 AFC60B37 66901631 13020301 0001
R1#
R1#sho cryp pki certificates ver
CA Certificate
Status: Available
Version: 3
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=R1.blah.com
st=CO
c=US
Subject:
cn=R1.blah.com
st=CO
c=US
Validity Date:
start date: 00:06:38 UTC Mar 1 2002
end date: 00:06:38 UTC Feb 28 2005
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: MD5 with RSA Encryption
Fingerprint MD5: B99C4B4A 9FDA7F21 5CC098F3 308D71AF
Fingerprint SHA1: 6D9CFC35 8CC733F9 96A1E6EF 1BDC3216 2C027D4E
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 60131162 6573950F 5B6B8C89 C2660CCF 55225E98
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 60131162 6573950F 5B6B8C89 C2660CCF 55225E98
Authority Info Access:
Associated Trustpoints: R1
*ASA:*
ASA(config)# sho cryp key myp rsa
Key pair was generated at: 00:19:35 UTC Mar 1 2002
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a56efb
f7f8a639 dc7005cc e00d34b6 3bec745e d266fa44 ec523ba3 1b5d5306 97c78c98
e9c27ccc 8054dabc a677a572 74069b0b 860a2782 6ea45e4e f183c8da fefff1d6
4a48afad 10d18b6a d2daa8fb 6a789fea 293faa79 b77dbb97 3c26f4c7 933fd2d4
7bb5cc6d 497a9b27 3319d628 e116a5f8 4754d9f2 7ac69bcc 80a4183c a7020301
0001
ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)# sho cryp ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=R1.blah.com
st=CO
c=US
Subject Name:
cn=R1.blah.com
st=CO
c=US
Validity Date:
start date: 00:06:38 UTC Mar 1 2002
end date: 00:06:38 UTC Feb 28 2005
Associated Trustpoints: R1
On Wed, Sep 19, 2012 at 9:45 PM, Ben Shaw <[email protected]> wrote:
> Check the RSA key-pair is still on the CA. If you have reloaded the CA at
> any time during your test they would have been lost as GNS doesn't keep
> them on reboot and this could cause an issue with enrollment.
>
>
>
> On Wed, Sep 19, 2012 at 8:39 PM, Jason Madsen <[email protected]>wrote:
>
>> time appears to be within milliseconds from each other, and all date and
>> timezone type info matches as well. UTC, Fri, March 1st 2002...
>>
>> my brain hurts. seems like i've done this a million times while studying
>> / testing, and now it won't work any more.
>>
>> Jason
>>
>>
>>
>> On Wed, Sep 19, 2012 at 8:35 PM, Fawad Khan <[email protected]> wrote:
>>
>>> So check time and time zone. This happened to me but I found the time
>>> zone was not
>>> Matching properly.
>>>
>>>
>>> On Wednesday, September 19, 2012, Fawad Khan wrote:
>>>
>>>> Check the time on all devices.
>>>>
>>>> On Wednesday, September 19, 2012, Jason Madsen wrote:
>>>>
>>>>> Hi Group,
>>>>>
>>>>> I'm having a brain fart at the moment, or else ran into more GNS3
>>>>> weirdness. I setup a router as a CA and get the following message every
>>>>> time I try to enroll from an ASA:
>>>>>
>>>>> The certificate enrollment request failed!
>>>>>
>>>>> Routers can authenticate and enroll with the IOS CA just fine...just
>>>>> cannot from an ASA. Anything need to be done differently on the ASA when
>>>>> enrolling other than what's needed on routers when enrolling? Here are
>>>>> the basic steps I went through:
>>>>>
>>>>> *IOS CA:*
>>>>>
>>>>> hostname R1
>>>>> ip domain name blah.com
>>>>> ntp master
>>>>> ip http server
>>>>> crypto key gen rsa mod 1024 R1-CA
>>>>> !
>>>>> crypto pi trust R1-CA
>>>>> rsakeypair R1-CA 1024
>>>>> rev none
>>>>> !
>>>>> crypto pki server R1-CA
>>>>> data level complete
>>>>> data archi pem
>>>>> data url pem flash:
>>>>> grant auto
>>>>> cdp- http://19.19.19.1/cgi-bin/pkiclient.exe?operation=GetCRL
>>>>> issue CN = R1.blah.com, ST = CA, C = US
>>>>> no shut
>>>>> !
>>>>>
>>>>> *ASA*
>>>>>
>>>>> hostname ASA
>>>>> domain-name blah.com
>>>>> ntp server 19.19.19.1
>>>>> !
>>>>> cryp key gen rsa mod 1024
>>>>> cryp ca trust R1
>>>>> enroll url http://19.19.19.1:80
>>>>> rev none
>>>>> !
>>>>> crypt ca authe R1
>>>>> (works fine...able to authenticate)
>>>>> crypt ca enroll R1
>>>>> (serial number: no, get cert: yes...get "enrollment request failed"
>>>>> each time or a similar error message)
>>>>>
>>>>> I can debug on the CA and it looks as though a cert' is sent to the
>>>>> ASA when I do the "crypto ca enroll" command. Not sure what's going on.
>>>>> NTP was sync'd before any key / cert creation etc. Did not change
>>>>> hostnames or domain names after creating keys / certs. I've tried
>>>>> specifying FQDN wtihin trustpoints etc, and modifying other parameters.
>>>>>
>>>>> Either I've forgotten a key step along the way, or else this is GNS
>>>>> specific.
>>>>>
>>>>> Any ideas / thoughts?
>>>>>
>>>>> Thanks,
>>>>> Jason
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> FNK, CCIE Security#35578
>>>>
>>>
>>>
>>> --
>>> FNK, CCIE Security#35578
>>>
>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
