The certs are marked as active, but i can see no serial number at the ca certificate in the pix. Is this correct??
yes this correct, since the ca-cert has a serial number of zero ;o) which pix interpretes as not available...
I tried to edit the request with the correct DN. Then OpenCA was able to issue the certificate, butyeah - i have some ideas ;o)
nevertheless the PIX was not able to show this certificate with "show ca cert". But the pending request
(Pending 102) at PIX trace was changed to granted (Granted 100). I thought this is it. But NO!!! The PIX shows only the ra and the ca certificate !!! Has anyone an idea what went wrong ???
first - the granted cert will be shown on top of ca and ra cert as the first one - it its there
second - it is importend to keep some special attributes in the dn that means: unstructeredAddress and unstructuredName if available otherwise the pix will not accept the issued certificate
if you do a request (ca enroll <pki-name> <pwd> ipadress) than it musst be included - but at least the unstructuredName should be inlcuded
and as mentioned before - you have to set the equivalent subject-alternative name - for unstructuredName this is DNS and there have to be the same string - for unstructuredAddress it is IP
(this is mentioned somewhere at the cisco-vpn-documentation for pix)
i add both usally
greetings dalini
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
