Hi,
I've posted but no one aswered.
I try to resolve my problem using sscep. And this work very well. here is the result
[EMAIL PROTECTED] sscep]# ./sscep getca -f sscep.conf
./sscep: starting sscep, version 20030417
./sscep: hostname: localhost
./sscep: directory: cgi-bin/scep/pkiclient.exe
./sscep: port: 80
./sscep: SCEP_OPERATION_GETCA
./sscep: requesting CA certificate
./sscep: scep msg: GET /cgi-bin/scep/pkiclient.exe?operation=GetCACert&message=certifs HTTP/1.0
./sscep: starting sscep, version 20030417
./sscep: hostname: localhost
./sscep: directory: cgi-bin/scep/pkiclient.exe
./sscep: port: 80
./sscep: SCEP_OPERATION_GETCA
./sscep: requesting CA certificate
./sscep: scep msg: GET /cgi-bin/scep/pkiclient.exe?operation=GetCACert&message=certifs HTTP/1.0
./sscep: server returned status code 200
./sscep: MIME header: application/x-x509-ca-ra-cert
./sscep: valid response from server
./sscep: MIME header: application/x-x509-ca-ra-cert
./sscep: valid response from server
./sscep: found certificate with
subject: /C=SN/O=BCEAO/OU=PKI-BANQUE/CN=SCEP
issuer: /C=SN/O=BCEAO/OU=PKI-CA/CN=INT Root CA/[EMAIL PROTECTED]
usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
MD5 fingerprint: 37:55:F2:6A:A9:6F:89:87:36:BD:8B:A2:E6:98:BC:B3
./sscep: writing cert
-----BEGIN CERTIFICATE-----
MIIEbjCCA9egAwIBAgIBBDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJTTjEO
MAwGA1UEChMFQkNFQU8xDzANBgNVBAsTBlBLSS1DQTEUMBIGA1UEAxMLSU5UIFJv
b3QgQ0ExLzAtBgkqhkiG9w0BCQEWIE1hcnlsaW5lLk1ha25hdmljaXVzQGludF9l
dnJ5LmZyMB4XDTA1MDcxNDEwMjM1M1oXDTA2MDcxNDEwMjM1M1owQTELMAkGA1UE
BhMCU04xDjAMBgNVBAoTBUJDRUFPMRMwEQYDVQQLEwpQS0ktQkFOUVVFMQ0wCwYD
VQQDEwRTQ0VQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD1R4ZR7QXRxjm3
YnP77AdNf9QPNGaeiVmeEhhyGbPp11PJHB7gPAlKaMbV2rwYwuiWdsrpeJpfbj5I
8fwZg9Qwnub8XEo/XR3Poq8oG5dLkdyPPhtm66xXtCvjkZGZF3ebIgrjtf8EAmBG
NOpcXSBJom29k+D1Z0j7vaCYkXzwAQIDAQABo4ICQDCCAjwwCQYDVR0TBAIwADA4
BgNVHSAEMTAvMC0GBCoDAwQwJTAjBggrBgEFBQcCARYXaHR0cDovL3NvbWUudXJs
Lm9yZy9jcHMwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIE8DATBgNVHSUE
DDAKBggrBgEFBQcDATAiBglghkgBhvhCAQ0EFRYTV1dXLVNlcnZlciBvZiBCQ0VB
TzAdBgNVHQ4EFgQUsmgO+jro8MLZdQOKhC0i56HIfbQwgZ8GA1UdIwSBlzCBlIAU
R3Ta/gn6ywe7cNnfpf9CMiyhyhiheaR3MHUxCzAJBgNVBAYTAlNOMQ4wDAYDVQQK
EwVCQ0VBTzEPMA0GA 1UECxMGU EtJLUNBMRQwEgYDVQQDEwtJTlQgUm9vdCBDQTEv
MC0GCSqGSIb3DQEJARYgTWFyeWxpbmUuTWFrbmF2aWNpdXNAaW50X2V2cnkuZnKC
AQAwGQYDVR0RBBIwEIEOc2NlcEBiY2Vhby5pbnQwKwYDVR0SBCQwIoEgTWFyeWxp
bmUuTWFrbmF2aWNpdXNAaW50X2V2cnkuZnIwLwYJYIZIAYb4QgEEBCIWIGh0dHA6
Ly9jZXJ0aWZzL3B1Yi9jcmwvY2FjcmwuY3JsMC8GCWCGSAGG+EIBAwQiFiBodHRw
Oi8vY2VydGlmcy9wdWIvY3JsL2NhY3JsLmNybDAxBgNVHR8EKjAoMCagJKAihiBo
dHRwOi8vY2VydGlmcy9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOB
gQCC9L6lDbkQOu+EhLXNBjhcV2rAXKLH3N0uR9A9E+hV0Ixlbhwb2Hrw3M+524J9
h/1S49Y81btc37ZJU2Xd9jSsFDa1LbEr9TrUA/Em1iKmUjH3uOvCXKinc+nDDlVl
waeluEGFUUzMLH1VZu2z9IRUfJrtLH6wIi7GWo7LdRJ/3g==
-----END CERTIFICATE-----
./sscep: certificate written as ./ca.crt-0-0-0
[EMAIL PROTECTED] sscep]#
subject: /C=SN/O=BCEAO/OU=PKI-BANQUE/CN=SCEP
issuer: /C=SN/O=BCEAO/OU=PKI-CA/CN=INT Root CA/[EMAIL PROTECTED]
usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
MD5 fingerprint: 37:55:F2:6A:A9:6F:89:87:36:BD:8B:A2:E6:98:BC:B3
./sscep: writing cert
-----BEGIN CERTIFICATE-----
MIIEbjCCA9egAwIBAgIBBDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJTTjEO
MAwGA1UEChMFQkNFQU8xDzANBgNVBAsTBlBLSS1DQTEUMBIGA1UEAxMLSU5UIFJv
b3QgQ0ExLzAtBgkqhkiG9w0BCQEWIE1hcnlsaW5lLk1ha25hdmljaXVzQGludF9l
dnJ5LmZyMB4XDTA1MDcxNDEwMjM1M1oXDTA2MDcxNDEwMjM1M1owQTELMAkGA1UE
BhMCU04xDjAMBgNVBAoTBUJDRUFPMRMwEQYDVQQLEwpQS0ktQkFOUVVFMQ0wCwYD
VQQDEwRTQ0VQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD1R4ZR7QXRxjm3
YnP77AdNf9QPNGaeiVmeEhhyGbPp11PJHB7gPAlKaMbV2rwYwuiWdsrpeJpfbj5I
8fwZg9Qwnub8XEo/XR3Poq8oG5dLkdyPPhtm66xXtCvjkZGZF3ebIgrjtf8EAmBG
NOpcXSBJom29k+D1Z0j7vaCYkXzwAQIDAQABo4ICQDCCAjwwCQYDVR0TBAIwADA4
BgNVHSAEMTAvMC0GBCoDAwQwJTAjBggrBgEFBQcCARYXaHR0cDovL3NvbWUudXJs
Lm9yZy9jcHMwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIE8DATBgNVHSUE
DDAKBggrBgEFBQcDATAiBglghkgBhvhCAQ0EFRYTV1dXLVNlcnZlciBvZiBCQ0VB
TzAdBgNVHQ4EFgQUsmgO+jro8MLZdQOKhC0i56HIfbQwgZ8GA1UdIwSBlzCBlIAU
R3Ta/gn6ywe7cNnfpf9CMiyhyhiheaR3MHUxCzAJBgNVBAYTAlNOMQ4wDAYDVQQK
EwVCQ0VBTzEPMA0GA 1UECxMGU EtJLUNBMRQwEgYDVQQDEwtJTlQgUm9vdCBDQTEv
MC0GCSqGSIb3DQEJARYgTWFyeWxpbmUuTWFrbmF2aWNpdXNAaW50X2V2cnkuZnKC
AQAwGQYDVR0RBBIwEIEOc2NlcEBiY2Vhby5pbnQwKwYDVR0SBCQwIoEgTWFyeWxp
bmUuTWFrbmF2aWNpdXNAaW50X2V2cnkuZnIwLwYJYIZIAYb4QgEEBCIWIGh0dHA6
Ly9jZXJ0aWZzL3B1Yi9jcmwvY2FjcmwuY3JsMC8GCWCGSAGG+EIBAwQiFiBodHRw
Oi8vY2VydGlmcy9wdWIvY3JsL2NhY3JsLmNybDAxBgNVHR8EKjAoMCagJKAihiBo
dHRwOi8vY2VydGlmcy9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOB
gQCC9L6lDbkQOu+EhLXNBjhcV2rAXKLH3N0uR9A9E+hV0Ixlbhwb2Hrw3M+524J9
h/1S49Y81btc37ZJU2Xd9jSsFDa1LbEr9TrUA/Em1iKmUjH3uOvCXKinc+nDDlVl
waeluEGFUUzMLH1VZu2z9IRUfJrtLH6wIi7GWo7LdRJ/3g==
-----END CERTIFICATE-----
./sscep: certificate written as ./ca.crt-0-0-0
[EMAIL PROTECTED] sscep]#
but trying the same thing with a cisco router 1600 with IOS 12.1 i can not load the CA's certificate.
What's the problem.
__________________________________________________________________________________
I succesfully install a CA and RA on the same PC.
I issued a certificate for SCEP using this attributes:
Web server,1024,Digital signature, Non repudiation, Key
Encipherment,
Data Encipherment.
then, I downloed the certificate and the key in the
browser(mozilla).
I create a Scep.crt and scep.key in wich i copied the scep
certificate
and key. i indicate the path for those file in the scep.conf
in scep.xml i set map_role to no
On a cisco 1600 routeur i deal with this configuration:
crypto ca identity certifs
enrollment mode ra
enrollment url http://certifs/cgi-bin/scep/scep
crypto ca authenticate certifs
This last command did not work and give this debug
BICIS(config)#crypto ca authenticate certifs
01:49:20: CRYPTO_PKI: Sending CA Certificate Request:
GET /cgi-bin/scep/pkiclient.exe?operation=GetCACert&message=certifs HTTP/1.0
01:49:20: CRYPTO_PKI: http connection opened
% Error in receiving Certificate Authority certificate: status =
FAIL, cert length = 0
BICIS(config)#
01:49:24: CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OK
Date: Fri, 15 Jul 2005 17:15:54 GMT
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.14 OpenSSL/0.9.7c
Set-Cookie: CGISESSID=7dbba2128ef418313c1316b6a76c2bf3; path=/
Connection: close
Content-Type: application/x-x509-ca-ra-cert
Content-Type indicates we have received CA and RA certificates.
01:49:24: CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting
& nbsp; 01:49:24: CRYPTO_PKI: Error: Code 0x0000 while selecting self signed certificate
01:49:24: CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying
01:49:24: CRYPTO_PKI: status = 324: failed to verify
01:49:24: CRYPTO_PKI: Unable to read CA/RA certificates.
01:49:24: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA certificates.
01:49:24: CRYPTO_PKI: transaction GetCACert completed
i set permission 777 on the path that contains pkiclient.exe
i also change the owner from root to apache user but that did not
resolve the problem
Please can someone help me.
Thanks
I issued a certificate for SCEP using this attributes:
Web server,1024,Digital signature, Non repudiation, Key
Encipherment,
Data Encipherment.
then, I downloed the certificate and the key in the
browser(mozilla).
I create a Scep.crt and scep.key in wich i copied the scep
certificate
and key. i indicate the path for those file in the scep.conf
in scep.xml i set map_role to no
On a cisco 1600 routeur i deal with this configuration:
crypto ca identity certifs
enrollment mode ra
enrollment url http://certifs/cgi-bin/scep/scep
crypto ca authenticate certifs
This last command did not work and give this debug
BICIS(config)#crypto ca authenticate certifs
01:49:20: CRYPTO_PKI: Sending CA Certificate Request:
GET /cgi-bin/scep/pkiclient.exe?operation=GetCACert&message=certifs HTTP/1.0
01:49:20: CRYPTO_PKI: http connection opened
% Error in receiving Certificate Authority certificate: status =
FAIL, cert length = 0
BICIS(config)#
01:49:24: CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OK
Date: Fri, 15 Jul 2005 17:15:54 GMT
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.14 OpenSSL/0.9.7c
Set-Cookie: CGISESSID=7dbba2128ef418313c1316b6a76c2bf3; path=/
Connection: close
Content-Type: application/x-x509-ca-ra-cert
Content-Type indicates we have received CA and RA certificates.
01:49:24: CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting
& nbsp; 01:49:24: CRYPTO_PKI: Error: Code 0x0000 while selecting self signed certificate
01:49:24: CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while verifying
01:49:24: CRYPTO_PKI: status = 324: failed to verify
01:49:24: CRYPTO_PKI: Unable to read CA/RA certificates.
01:49:24: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA certificates.
01:49:24: CRYPTO_PKI: transaction GetCACert completed
i set permission 777 on the path that contains pkiclient.exe
i also change the owner from root to apache user but that did not
resolve the problem
Please can someone help me.
Thanks
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici !
