Thanks for this, but as you can see in the below thread, I tried both ways, with:
ca configure nexus ca 1 20 crloptional
Error:
CI thread sleeps!
Crypto CA thread wakes up!
ccpix(config)# p connection opened
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: Error: Invalid format for BER encoding while
CRYPTO_PKI: can not set ca cert object.
CRYPTO_PKI: status = 65535: failed to process RA certificate Crypto CA
thread sleeps!
CI thread wakes up!
And
ca configure nexus ra 1 20 crloptional
Error:
CI thread sleeps!
Crypto CA thread wakes up!
ccpix(config)# p connection opened
CRYPTO_PKI: status = 266: failed to verify
CRYPTO_PKI: transaction GetCACert completed Crypto CA thread sleeps!
CI thread wakes up!
I'm not sure what the PIX is trying to verify, but what ever it is, it's failing. I've looked through the scripts, but my limited knowledge of Perl is unable to full follow the process and discover where it's failing.
How can I enable debugging on the SCEP process, and where would I look for logs to aid in troubleshooting?
My time is running out on this, so any assistance is appreciated.
Marc
-----Original Message-----
From: Yang Xiang [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 01, 2005 1:09 AM
To: [email protected]; [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Need SCEP config help for Cisco PIX
Hi Marc,
your OpenCA acts as a RA instead of CA. Therefore you should configure your PIX like this:
ca config nexus ra 1 20 crloptional
~~~
In your case you configured your OpenCA (nexus) wrongly as a CA. Then the PIX expected a message in BER format instead of DER.
There are some lines from the file ~/lib/cmds/scepgetCACert:
-------------------------------------------------------------------
## we now convert into a simple pkcs7 data file
$cryptoShell->crl2pkcs7 ( INFORM=>"PEM", OUTFORM=>"DER",
CERTSLIST=>[ @certsList ], OUTFILE=>"$p7_file");
## Send the response to the SCEP client
print "Content-type: application/x-x509-ca-ra-cert\n\n";
print $tools->getFile( "$p7_file");
-----------------------------------------------------------------------
You'll see that the certificates are actually encoded in DER.
Since almost all source codes are in perl you could change everything what you like and test that in real time.
Best,
Yang
>--__--__--
>
>Message: 5
>From: Marc Cohen <[EMAIL PROTECTED]>
>To: "'[email protected]'"
> <[email protected]>
>Date: Mon, 31 Jan 2005 11:44:06 -0500
>Subject: [Openca-Users] Need SCEP config help for Cisco PIX
>Reply-To: [email protected]
>
>This message is in MIME format. Since your mail reader does not
>understand this format, some or all of this message may not be legible.
>
>------_=_NextPart_001_01C507B4.13DA48A0
>Content-Type: text/plain
>
>We've been running OpenCA for a couple of years now, and are upgrading
>to 0.9.2.1.
>
>I need to get SCEP working so we can issue certificates to our PIX
>devices, unfortunately I have been unable to get this working and
>really need some help before someone insists we install a MicroShaft CA
>(I REALLY don't want to have to do that).
>
>I have been working with Cisco for a couple of days, and have ruled out
>anything on the PIX as we can SCEP to a MS CA successfully...
>
>Below is the debug crypto ca errors for trying as both RA and CA:
>
>------------------------
>ccpix(config)# ca config nexus ca 1 20 crloptional ccpix(config)# ca
>auth nexus
>
>CI thread sleeps!
>Crypto CA thread wakes up!
>ccpix(config)# p connection opened
>CRYPTO_PKI: transaction GetCACert completed
>CRYPTO_PKI: Error: Invalid format for BER encoding while
>
>CRYPTO_PKI: can not set ca cert object.
>CRYPTO_PKI: status = 65535: failed to process RA certificate Crypto CA
>thread sleeps!
>CI thread wakes up!ca config nexus ra 1 20 crloptional ccpix(config)#
>ca auth nexus
>
>CI thread sleeps!
>Crypto CA thread wakes up!
>ccpix(config)# p connection opened
>CRYPTO_PKI: status = 266: failed to verify
>CRYPTO_PKI: transaction GetCACert completed Crypto CA thread sleeps!
>CI thread wakes up!
>ccpix(config)#
>------------------------
>
>All that happens in the stderr.log is:
>------------------------
>OpenCA::Logger::Syslog::Sys: Using syslog priority CRIT because no
>level was specified.
>PKI Master Alert: Logging error
>PKI Master Alert: Aborting all operations
>PKI Master Alert: Error: 64510030
>PKI Master Alert: Message: addMessage failed for log slot sys_syslog
>(6511070). Cannot write to syslogdevice.
>PKI Master Alert: debugging messages of logging follow
>OpenCA: General error trapped 6296060: Permission denied. at
>/usr/lib/perl5/site_perl/5.8.5/OpenCA/UI/HTML.pm line 179.
>Compilation failed in require at
>/usr/local/openca/OpenCA/etc/openca_start
>line 62.
>------------------------
>
>We have setup one server as CA/RA hosting a MySQL DB, and a second box
>as Public/SCEP/LDAP connecting to the MySQL DB on the RA/CA box.
>
>I see the request coming into the SCEP but am getting the failure. I
>have looked through the available support here and not found anything
>to help me get this up and running.
>
>Let me know what configs you wish to see, these are test boxes so there
>is no problem with crashing and burning to get it working - I just want
>to get it working before somone pulls the plug on me and forces me to the MS path.
>
>Many thanks in advance, Marc.
>
>
>
>
>------_=_NextPart_001_01C507B4.13DA48A0
>Content-Type: text/html
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html;
>charset=us-ascii">
>
>
><META content="MSHTML 6.00.2800.1479" name=GENERATOR></HEAD> <BODY>
><DIV dir=ltr align=left><SPAN class=107242921-27012005><FONT face=Arial
>size=2>We've been running OpenCA for a couple of years now, and are
>upgrading to 0.9.2.1.</FONT></SPAN></DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial
>size=2></FONT></SPAN> </DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial size=2>I need
>to get SCEP working so we can issue certificates to our PIX
>devices, unfortunately I have been unable to get this working and
>really need some help before someone insists we install a
>MicroShaft CA (I REALLY don't want to have to do
>that).</FONT></SPAN></DIV> <DIV><SPAN class=107242921-27012005><FONT
>face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial size=2>I have been working
>with Cisco for a couple of days, and have ruled out anything on the PIX
>as we can SCEP to a MS CA successfully...</FONT></SPAN></DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial
>size=2></FONT></SPAN> </DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial size=2>Below is
>the debug crypto ca errors for trying as both RA and
>CA:</FONT></SPAN></DIV> <DIV><SPAN class=107242921-27012005><FONT
>face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN
>class=107242921-27012005><SPAN class=107242921-27012005><FONT
>face=Arial size=2>------------------------</FONT></SPAN></SPAN></DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial
>size=2>ccpix(config)# ca config nexus ca 1 20
>crloptional<BR>ccpix(config)# ca auth nexus</FONT></SPAN></DIV>
><DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial size=2>CI thread
>sleeps!<BR>Crypto CA thread wakes up!<BR>ccpix(config)# p connection
>opened<BR>CRYPTO_PKI: transaction GetCACert completed<BR>CRYPTO_PKI:
>Error: Invalid format for BER encoding while</FONT></SPAN></DIV>
><DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial size=2>CRYPTO_PKI: can not
>set ca cert object.<BR>CRYPTO_PKI: status = 65535: failed to process RA
>certificate<BR>Crypto CA thread sleeps!<BR>CI thread wakes up!ca config
>nexus ra
>1 20 crloptional<BR>ccpix(config)# ca auth nexus</FONT></SPAN></DIV>
><DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial size=2>CI thread
>sleeps!<BR>Crypto CA thread wakes up!<BR>ccpix(config)# p connection
>opened<BR>CRYPTO_PKI: status = 266: failed to verify<BR>CRYPTO_PKI:
>transaction GetCACert completed<BR>Crypto CA thread sleeps!<BR>CI
>thread wakes up!<BR>ccpix(config)#</FONT></SPAN></DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial size=2><SPAN
>class=107242921-27012005><FONT face=Arial
>size=2>------------------------</FONT></SPAN></FONT></SPAN></DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial
>size=2></FONT></SPAN> </DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial size=2>All that
>happens in the stderr.log is:</FONT></SPAN></DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial size=2><SPAN
>class=107242921-27012005><FONT face=Arial
>size=2>------------------------</FONT></SPAN></FONT></SPAN></DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial
>size=2>OpenCA::Logger::Syslog::Sys: Using syslog priority CRIT because
>no level was specified.<BR>PKI Master Alert: Logging error<BR>PKI
>Master Alert: Aborting all operations<BR>PKI Master Alert:
>Error: 64510030<BR>PKI Master
>Alert: Message: addMessage failed for log slot sys_syslog (6511070).
>Cannot write to syslogdevice.<BR>PKI Master Alert: debugging messages
>of logging
>follow<BR>OpenCA: General error trapped 6296060: Permission denied. at
>/usr/lib/perl5/site_perl/5.8.5/OpenCA/UI/HTML.pm line
>179.<BR>Compilation failed in require at
>/usr/local/openca/OpenCA/etc/openca_start line 62.</FONT></SPAN></DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial size=2><SPAN
>class=107242921-27012005><FONT face=Arial
>size=2>------------------------</FONT></SPAN></FONT></SPAN></DIV>
><DIV><SPAN class=107242921-27012005><FONT face=Arial size=2><SPAN
>class=107242921-27012005></SPAN></FONT></SPAN><SPAN
>class=107242921-27012005><FONT face=Arial
>size=2></FONT></SPAN> </DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial size=2>We have
>setup <SPAN class=585484216-31012005>one</SPAN> server as CA/RA
>hosting a MySQL DB, and a<SPAN
>class=585484216-31012005> second </SPAN>box as
>Public/SCEP/LDAP connecting to the MySQL DB on the RA/CA
>box.</FONT></SPAN></DIV> <DIV><SPAN class=107242921-27012005><FONT
>face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial size=2>I see the request
>coming into the SCEP but am getting the failure. I have looked through
>the available support here and not found anything to help me get this
>up and running. </FONT></SPAN></DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial
>size=2></FONT></SPAN> </DIV> <DIV><SPAN
>class=107242921-27012005><FONT face=Arial size=2>Let me know what
>configs you wish to see, these are test boxes so there is no problem
>with crashing and burning to get it working - I just want to get it
>working before somone pulls the plug on me and forces me to the MS
>path.</DIV></FONT></SPAN> <DIV><FONT face=Arial
>size=2></FONT> </DIV><SPAN lang=en-us> <DIV><SPAN
>class=829001219-16112004><FONT face=Arial><FONT size=2>Many thanks<SPAN
>class=107242921-27012005> in advance</SPAN>,<SPAN
>class=107242921-27012005> Marc.</SPAN></FONT></FONT></SPAN></DIV>
><DIV><SPAN class=829001219-16112004><FONT face=Arial><FONT size=2><SPAN
>class=107242921-27012005></SPAN></FONT></FONT></SPAN> </DIV>
><DIV><SPAN class=829001219-16112004><FONT face=Arial><FONT size=2><SPAN
>class=107242921-27012005></SPAN></FONT></FONT></SPAN> </DIV></SPAN
>> <DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>
>
>------_=_NextPart_001_01C507B4.13DA48A0--
>
>
>
