Certificate for RA and SCEP Cisco Router CRYPTO-6-CERTFAIL: Certificate
enrollment failed
Thanks to dalini, Martin Bartosch, Pete for the help until here.
Tips for other with the same problems:
(Cisco Router get the CA certificate from the scep interface, not the
RA/scep certificate, Reason is certificate for scep is not configured and
must without password. Here my steps...)
I take the RA-Operator certificate do this steps:
CA: Information -> Certificates -> Valid -> Shows the certificates
Click on Serial for Role RA-Operator
at the end: Certificate and Keypair (SSLeay mod_ssl) and Click on Download
Password from RA-Operator have to put in here
Then you get Text window with this:
-----BEGIN CERTIFICATE-----
MIIGdjCCBV6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCREUx
...
DLdsTyuT5wjwlVWauQ80l1PUFHlGjKfiB1I=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyhTUDSWwK4fPBKX9X0pkQ4JjesQB70mfAhR5K9r9ovlpNW+K
...
UZ1BduU0i/fB4N2laqi33lIeznC7zSylWttUWG+5jX0TLyOdrUlgAA==
-----END RSA PRIVATE KEY-----
Mark this
-----BEGIN CERTIFICATE-----
MIIGdjCCBV6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCREUx
...
DLdsTyuT5wjwlVWauQ80l1PUFHlGjKfiB1I=
-----END CERTIFICATE-----
and save to file scep_cert.pem
Mark this
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyhTUDSWwK4fPBKX9X0pkQ4JjesQB70mfAhR5K9r9ovlpNW+K
...
UZ1BduU0i/fB4N2laqi33lIeznC7zSylWttUWG+5jX0TLyOdrUlgAA==
-----END RSA PRIVATE KEY-----
and save to file scep_key_with_password.pem
If you remember, in the key was an password.
This must be striped. You can do it so:
openssl rsa -in scep_key_with_password.pem -out scep_key.pem
Move the scep_cert.pem and scep_key.pem in a directory which can be
used from apache (for scep Installation), posibly
mkdir /usr/local/openra/openca/var/scep
chown -R wwwrun.www scep (the new dir, see your group and owner of the other
apache files for openca installation)
Edit config.xml (for the scep Installation if a separatly PC)
<name>SCEP_RA_CERT</name>
<value>/usr/local/openra/openca/var/scep/scep_cert.pem</value>
<name>SCEP_RA_KEY</name>
<value>/usr/local/openra/openca/var/scep/scep_key.pem</value>
<name>SCEP_RA_PASSWD</name>
<value>1234567890</value>
Do this (secp installation)
configure_etc.sh
openca_stop
openca_start
Then I can receive from the cisco the ca and the "RA"/scep certificate:
cisco#sh crypto ca certificates
RA General purpose Certificate
Status: Available
Certificate Serial Number: 02
Key Usage: General Purpose
Issuer:
EA = xxx
CN = Herbert
OU = xxx
O = xxx GmbH Co KG
C = DE
Subject:
OID.2.5.4.5 = 2
CN = xxx
OU = xxx
O = xxx GmbH
C = DE
CRL Distribution Point:
http://ra.xxx.de/pub/crl/cacrl.crl
Validity Date:
start date: 15:13:23 UTC Dec 21 2005
end date: 15:13:23 UTC Dec 21 2006
Associated Identity: xxx
CA Certificate
Status: Available
Certificate Serial Number: xxxxxxxxxxxxxxxx
Key Usage: General Purpose
Issuer:
EA = [EMAIL PROTECTED]
CN = Herbert
OU = xxx
O = xxx GmbH Co KG
C = DE
Subject:
EA = [EMAIL PROTECTED]
CN = Herbert
OU = xxx
O = xxx GmbH Co KG
C = DE
CRL Distribution Point:
http://ra.xxx.de/pub/crl/cacrl.crl
Validity Date:
start date: 14:45:31 UTC Dec 21 2005
end date: 14:45:31 UTC Dec 29 2015
Associated Identity: xxx
But after
crypto ca enroll xxx
the cisco responds:
%CRYPTO-6-CERTFAIL: Certificate enrollment failed.
%CRYPTO-6-CERT_FATAL_ERR: Certificate, private key or CRL was not found
Therefore check, if the
CRL Distribution Point:
http://ra.xxx.de/pub/crl/cacrl.crl
can be reached from the router. Possibly copy this URL in your browser and
check it:
Firefox on my installation says:
Forbidden
You don't have permission to access /pub/crl/cacrl.crl on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an
ErrorDocument to handle the request.
Go to
/srv/www/vhosts/ra.xxx.de/htdocs/pub/crl #
"/srv/www/vhosts/ra.xxx.de/" this must your webserver for scep apache path.
In my installation here I find 4 links:
cacrl.der, cacrl.pem, cacrl.txt, cacrl.crl pointing to a path of the
installation (not the webserver) like this:
cacrl.crl ->
../../../../../../../usr/local/openra/openca/var/crypto/crls/cacrl.crl
Please check if the file you have in the cisco CRL exists (here cacrl.crl).
If not, do the following: Go into the directory and make
touch cacrl.crl
chown wwwrun.www
chown wwwrun.www cacrl.crl
And when I now made newly:
#crypto ca enroll xxx
% Start certificate enrollment ..
...
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: xxCEC4xx
% Include an IP address in the subject name? [yes/no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
cisco(config)#
Signing Certificate Reqeust Fingerprint:
AEC53D8C 000CD0C9 F6A700D5 C5138094
Encryption Certificate Request Fingerprint:
91E37FB1 17C85AE8 7875A442 2BE16A95
%CRYPTO-6-CERTFAIL: Certificate enrollment failed.
%CRYPTO-6-CERTFAIL: Certificate enrollment failed.
If I make a mistake until here (in this description what to do for the next
guys, please Martin Bartosch, dalini, Pete correct me a soon as possible).
I can not found a Certificate Request in the RA or PUB Interface of openca
from my cisco router.
And now I need also help from the developer.
--------------------------------------------
(A list entry bevor - some asks for version of openssl.
# which openssl
/usr/bin/openssl
# openssl version
OpenSSL 0.9.7g 11 Apr 2005)
Thanks
Kindest regards and Merry X-mas.
Herbert
--
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
