"CRYPTO_PKI: status = 266: failed to verify" means you used a incorrect URL syntax in the ca identity command.
You can use debug crypto ca to display debug messages exchanged with the CA. Use debug packet or capture to capture packets sent to and received from the CA.
If you like there is a IETF draft for SCEP: http://ietfreport.isoc.org/idref/draft-nourse-scep/#page-16
The SCEP transaction is specificated in section 5:
5.5.1 GetCACert HTTP Message Format "GET" CGI-PATH CGI-PROG "?operation=GetCACert" "&message=" CA-IDENT where: CGI-PATH defines the actual CGI path to invoke the CGI program
which parses the request. CGI-PROG is set to be the string "pkiclient.exe" and this is
expected to be the program that the CA will use to handle the
SCEP transactions.
CA-IDENT is any string which is understood by the CA.
For example, it could be a domain name like ietf.org.
If a certificate authority has multiple CA certificates
this field can be used to distinguish which is required.
Otherwise it may be ignored.
Good luck
Yang
From: Marc Cohen <[EMAIL PROTECTED]>
To: [email protected]
Subject: RE: [Openca-Users] Need SCEP config help for Cisco PIX
Date: Tue, 1 Feb 2005 12:31:54 -0500 Reply-To: [email protected]
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible.
------_=_NextPart_001_01C50883.EC3D72C0 Content-Type: text/plain
Thanks for this, but as you can see in the below thread, I tried both ways, with:
ca configure nexus ca 1 20 crloptional
Error: CI thread sleeps! Crypto CA thread wakes up! ccpix(config)# p connection opened CRYPTO_PKI: transaction GetCACert completed CRYPTO_PKI: Error: Invalid format for BER encoding while
CRYPTO_PKI: can not set ca cert object.
CRYPTO_PKI: status = 65535: failed to process RA certificate Crypto CA thread sleeps!
CI thread wakes up!
And
ca configure nexus ra 1 20 crloptional
Error: CI thread sleeps! Crypto CA thread wakes up! ccpix(config)# p connection opened CRYPTO_PKI: status = 266: failed to verify CRYPTO_PKI: transaction GetCACert completed Crypto CA thread sleeps! CI thread wakes up!
I'm not sure what the PIX is trying to verify, but what ever it is, it's failing. I've looked through the scripts, but my limited knowledge of Perl is unable to full follow the process and discover where it's failing.
How can I enable debugging on the SCEP process, and where would I look for logs to aid in troubleshooting?
My time is running out on this, so any assistance is appreciated.
Marc
------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
