dalini wrote:
Konstantin Khrooschev wrote:
Oct 22 15:56:46.149 MSD: CRYPTO_PKI: status = 100: certificate is granted
Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed (1795):
Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed
Oct 22 15:56:53.236 MSD: Could not extract router cert from certrep, error=0x703
Oct 22 15:56:53.240 MSD: CRYPTO_PKI: can not set ca cert object (0x10D)
Oct 22 15:56:53 MSD: %SYS-2-FREEBAD: Attempted to free memory at 2F17FF4, not part of buffer pool
-Traceback= 2155B84 2C381D0 2C487CE 2C3F0D8
Oct 22 15:56:53.244 MSD: CRYPTO_PKI: status = 65535: failed to process the inner content
Oct 22 15:56:53 MSD: %CRYPTO-6-CERTFAIL: Certificate enrollment failed.
Oct 22 15:56:53 MSD: %CRYPTO-6-CERT_FATAL_ERR: Invalid format for BER encoding
...
who is wrong now ?
hmm, since i don't have ios systems for testing here, this gonna be kind of tricky...
ok, the sscep request is working?
yes, it works now :)
scep is setup with own certs (web-server) for the scep-interface
you get the request and you can issue a cert
can;t understand, sorry :-(
looks at least if the router gets a granted reply, that it works till that...
Oct 22 15:56:53.240 MSD: CRYPTO_PKI: can not set ca cert object (0x10D)
this looks strange...
shouldn't be the ca cert already installed at the router?
yes ca certificate installed and all session (skipped) worked fine.
sorry, may be i didn't explain all clearly.
the problem occures on last action - downloading signed certificate back to router.
all other router <-> pub interface <-> ra <-> ca negotiation works fine.
is there something like:
show crypto ca cert (i don't know the ios syntax, i havn't donwloaded documentation right now)
this should show two certificates (the ca and the ra cert, means the webserver cert of the scep interface but for the clients its an ra) and one pending request before a enrollment gets started...
while enrollment goes on, i see 2 certs end 1 pending request.
---------------------------------------------
RA General purpose Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
EA = [EMAIL PROTECTED]
CN = RTS Certificate Authority
OU = Information Security Dept
O = RTS Stock Exchange
C = RU
Subject:
OID.2.5.4.5 = 3
CN = RTS CA Public Gateway
OU = Trustcenter
O = RTS Stock Exchange
C = RU
CRL Distribution Point:
http://pub.ca.rtsnet.ru/crl/cacrl.crl
Validity Date:
start date: 16:18:34 MSD Oct 4 2004
end date: 16:18:34 MSD Oct 4 2005
Associated Trustpoints: RTSCA Certificate
Status: Available
Certificate Serial Number: 00
Certificate Usage: General Purpose
Issuer:
EA = [EMAIL PROTECTED]
CN = RTS Certificate Authority
OU = Information Security Dept
O = RTS Stock Exchange
C = RU
Subject:
EA = [EMAIL PROTECTED]
CN = RTS Certificate Authority
OU = Information Security Dept
O = RTS Stock Exchange
C = RU
CRL Distribution Point:
http://pub.ca.rtsnet.ru/crl/cacrl.crl
Validity Date:
start date: 14:59:56 MSD Sep 30 2004
end date: 14:59:56 MSD Sep 30 2006
Associated Trustpoints: RTS
Certificate Subject: Name: ats-1605-1.rtsnet.ru Status: Pending Key Usage: General Purpose Fingerprint: 0302773D DA211B97 4FFB5A85 DD086968 Associated Trustpoint: RTS ---------------------------------------------
after "Certificate enrollment failed", only ca certificate shown. can be small ram space the reason of problem ?
how do you setup the ca at the router as ca or as ra?
as ra of cource.
-- Konstantin Khrooschev. RTS Stock Exchange. Information Security Department.
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
