Thanks again, this did help as the path was incorrect had a double //
However, as you can see form the debug packet below, I still have the same error?
ccpix(config)# ca authen trust.kicks-ass.net
--------- PACKET ---------
CI thread sleeps!
Crypto CA thread wakes up!-- IP --
83.146.50.2 ==> 67.180.41.25
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x2c
id = 0x8829 flags = 0x0 frag off=0x0
ttl = 0xff proto=0x6 chksum = 0x4141
-- TCP --
source port = 0x471 dest port = 0x50syn
seq = 0x585fe840
ack = 0x0
hlen = 0x6 window = 0x1000
checksum = 0x5064 urg = 0x0
tcp options:
0x2 0x4 0x5 0xb4
--------- END OF PACKET ---------
--------- PACKET ---------
CRYPTO_PKI: http connection opened-- IP --
83.146.50.2 ==> 67.180.41.25
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x28
id = 0x882a flags = 0x0 frag off=0x0
ttl = 0xff proto=0x6 chksum = 0x4144
-- TCP --
source port = 0x471 dest port = 0x50ack
seq = 0x585fe841
ack = 0x4688537a
hlen = 0x5 window = 0x1000
checksum = 0xce0e urg = 0x0
--------- END OF PACKET ---------
--------- PACKET ---------
-- IP --
83.146.50.2 ==> 67.180.41.25
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x84
id = 0x882b flags = 0x0 frag off=0x0
ttl = 0xff proto=0x6 chksum = 0x40e7
-- TCP --
source port = 0x471 dest port = 0x50ack psh
seq = 0x585fe841
ack = 0x4688537a
hlen = 0x5 window = 0x1000
checksum = 0x1fb4 urg = 0x0
-- DATA --
00000028: 47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 73 63 65 | GET /cgi-bin/sce
00000038: 70 2f 70 6b 69 63 6c 69 65 6e 74 2e 65 78 65 3f | p/pkiclient.exe?
00000048: 6f 70 65 72 61 74 69 6f 6e 3d 47 65 74 43 41 43 | operation=GetCAC
00000058: 65 72 74 26 6d 65 73 73 61 67 65 3d 74 72 75 73 | ert&message=trus
00000068: 74 2e 6b 69 63 6b 73 2d 61 73 73 2e 6e 65 74 20 | t.kicks-ass.net
00000078: 48 54 54 50 2f 31 2e 30 0d 0a 0d 0a 1c | HTTP/1.0.....
--------- END OF PACKET ---------
ccpix(config)# --------- PACKET ---------
CRYPTO_PKI: status = 266: failed to verify
-- IP --
CRYPTO_PKI: transaction GetCACert completed
83.146.50.2 ==> 67.180.41.25
Crypto CA thread sleeps!
CI thread wakes up! ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x28
id = 0x882f flags = 0x0 frag off=0x0
ttl = 0xff proto=0x6 chksum = 0x413f
-- TCP --
source port = 0x471 dest port = 0x50ack
seq = 0x585fe89d
ack = 0x4688566f
hlen = 0x5 window = 0x1f40
checksum = 0xbb7d urg = 0x0
--------- END OF PACKET ---------
--------- PACKET ---------
-- IP --
83.146.50.2 ==> 67.180.41.25
ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x28
id = 0x8830 flags = 0x0 frag off=0x0
ttl = 0xff proto=0x6 chksum = 0x413e
-- TCP --
source port = 0x471 dest port = 0x50ack fin
seq = 0x585fe89d
ack = 0x4688566f
hlen = 0x5 window = 0x1f40
checksum = 0xbb7c urg = 0x0
--------- END OF PACKET ---------
If you point your browser to http://trust.kicks-ass.net/cgi-bin/scep/pkiclient.exe that is precisely where the script lives.
Permission on the scep/pkiclient.exe are 755, which seems correct?
Anything else I can look at or check?
Many thanks,
marc
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Yang Xiang
Sent: Tuesday, February 01, 2005 10:09 AM
To: [email protected]
Subject: RE: [Openca-Users] Need SCEP config help for Cisco PIX
"CRYPTO_PKI: status = 266: failed to verify" means you used a incorrect URL syntax in the ca identity command.
You can use debug crypto ca to display debug messages exchanged with the CA. Use debug packet or capture to capture packets sent to and received from the CA.
If you like there is a IETF draft for SCEP: http://ietfreport.isoc.org/idref/draft-nourse-scep/#page-16
The SCEP transaction is specificated in section 5:
5.5.1 GetCACert HTTP Message Format
"GET" CGI-PATH CGI-PROG "?operation=GetCACert" "&message=" CA-IDENT
where:
CGI-PATH defines the actual CGI path to invoke the CGI program
which parses the request.
CGI-PROG is set to be the string "pkiclient.exe" and this is
expected to be the program that the CA will use to handle the
SCEP transactions.
CA-IDENT is any string which is understood by the CA.
For example, it could be a domain name like ietf.org.
If a certificate authority has multiple CA certificates
this field can be used to distinguish which is required.
Otherwise it may be ignored.
Good luck
Yang
>From: Marc Cohen <[EMAIL PROTECTED]>
>To: [email protected]
>Subject: RE: [Openca-Users] Need SCEP config help for Cisco PIX
>Date: Tue, 1 Feb 2005 12:31:54 -0500
>Reply-To: [email protected]
>
>This message is in MIME format. Since your mail reader does not
>understand this format, some or all of this message may not be legible.
>
>------_=_NextPart_001_01C50883.EC3D72C0
>Content-Type: text/plain
>
>Thanks for this, but as you can see in the below thread, I tried both
>ways,
>with:
>
>ca configure nexus ca 1 20 crloptional
>
>Error:
>CI thread sleeps!
>Crypto CA thread wakes up!
>ccpix(config)# p connection opened
>CRYPTO_PKI: transaction GetCACert completed
>CRYPTO_PKI: Error: Invalid format for BER encoding while
>
>CRYPTO_PKI: can not set ca cert object.
>CRYPTO_PKI: status = 65535: failed to process RA certificate Crypto CA
>thread sleeps!
>CI thread wakes up!
>
>And
>
>ca configure nexus ra 1 20 crloptional
>
>Error:
>CI thread sleeps!
>Crypto CA thread wakes up!
>ccpix(config)# p connection opened
>CRYPTO_PKI: status = 266: failed to verify
>CRYPTO_PKI: transaction GetCACert completed Crypto CA thread sleeps!
>CI thread wakes up!
>
>I'm not sure what the PIX is trying to verify, but what ever it is,
>it's failing. I've looked through the scripts, but my limited knowledge
>of Perl is unable to full follow the process and discover where it's failing.
>
>How can I enable debugging on the SCEP process, and where would I look
>for logs to aid in troubleshooting?
>
>My time is running out on this, so any assistance is appreciated.
>
>Marc
>
>
>
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
