Oliver Welter wrote: > Hi Folks, > > I have problmes again with the cisco-scep stuff... > We did some successful testing last weeks and now just exchnaged the > certificates of the CA by new ones - now we have again the problem, that > the cisco device is not accepting them.... > what are the exact differences to the previous ca-certificates which worked? why is there mentioned a chain ;)? does it mean - you have a root ca and sub cas?
in the past cisco devices didn't accept chained cas... so you it was not possible to have a root ca and sub-cas - this may have changed, you should verify in the cisco documentation or knowledge base or ask them, i think someone have a necessary contract to send in support requests... > Things we put a look on: > Subject and Issuer Alternative Name contain an email address i think this shouldn't be a problem > DNs do not contain spacial chars > KeyUsage is keyEncipher, CRl Sign, Certificate Sign, Digital Signature what key usages did the working certs have? > Any ideas on whats going on ?? does the more detailed debug command give some more detailed information about whats going wrong? maybe the reason for not accepting the certificate? what is the key size of the ca-certificates? (cisco devices only accepts till 2048bits... at least in the past ;) greetings dalini ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
