SCEP support in OpenCA must be manually configured before it will work.
You need to read the documentation, specifically the bits about the
SCEP RA certificate setup in config.xml.
You need to ensure you have not built OpenCA with OpenSSL 0.97d
You need to explicitly ./configure (with the directives you passed to
toplevel configure) /make/make install in the src/scep directory -
make install_online, make install_offline does not build SCEP correctly.
You need to generate a new RA cert or use the RA cert generated as
part of the OpenCA initialisation process. You need to place a copy
of this cert and it's key somewhere convenient that the web server
user has read access to, and point the config.xml SCEP RA Cert and
Key urls to it.
You need to ensure your RA cert does not have a passphrase on it
(though you still need to put a bogus passphrase in config.xml).
you need to run configure_etc.sh after editing config.xml entries,
and then restart OpenCA.
It seems to me that SCEP support and documentation in OpenCA is
pretty bad at the moment - i have got it to work fine with a Cisco
ASA router, but it was not easy to figure out.
Hopefully future releases of OpenCA will simplify this, as I imagine
a lot of people want to use OpenCA solely as a CA for supporting
Cisco VPNs.
Hope that helps
-Pete
On 22/12/2005, at 7:52 AM, [EMAIL PROTECTED] wrote:
Hello, I need help to setup RA SCEP Cisco Router correctly.
I do Phase I,II,III. Export Data "ALL" from CA and Import "ALL" to RA.
I think this was working.
I can receive the CA certificate from SCEP to the Cisco 2600 with
C2600-IK9S-M), Version 12.2(17a).
cisco#sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: CD537CF8F295740A
Key Usage: General Purpose
Issuer:
EA = [EMAIL PROTECTED]
CN = H D
OU = YYY
O = ZZZ GmbH Co KG
C = DE
Subject:
EA = [EMAIL PROTECTED]
CN = H D
OU = YYY
O = ZZZ GmbH Co KG
C = DE
CRL Distribution Point:
http://ra.XXX.de/pub/crl/cacrl.crl
Validity Date:
start date: 14:45:31 UTC Dec 21 2005
end date: 14:45:31 UTC Dec 29 2015
Associated Identity: abc
Certificate
Subject Name Contains:
Name: cisco.xxx.de
Serial Number: 87CEC4C5
Status: Pending
Key Usage: Signature
Fingerprint: 00000000 00000000 00000000 00000000
Associated Identity: abc
But when I give in
cisco(config)# crypto ca enroll abc
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your
certificate.
For security reasons your password will not be saved in the
configuration.
Please make a note of it.
Password: ***
Re-enter password: ***
% The subject name in the certificate will be: cisco.xxx.de
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 12345678
% Include an IP address in the subject name? [yes/no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the
fingerprint.
Cisco: with "debug"
02:01:32: CRYPTO_PKI: transaction PKCSReq completed
02:01:32: CRYPTO_PKI: status:
02:01:32: CRYPTO_PKI: status = 0: failed to select RA encrypt cert
02:01:32: CRYPTO_PKI: status = 65535: failed to set up peer auth
context
02:01:32: CRYPTO_PKI: status = 65535: fail to send out pkcsreq
The cisco can connect to the RA/CA/SCEP - I receive the CA
Certificate a
minute before.
I use ethereal to sniff. The cisco router send no paket to the CA/
RA/SCEP to
transfer data.
Is here a people who can help me ?
Must I have certificates for RA ? SCEP ?
If yes, best is to describe a short list what I have do do, like
1.
2.
3.
Regards Herbert
--
Telefonieren Sie schon oder sparen Sie noch?
NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through
log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD
SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
