Hello together, now it seems as if I found the solution to my problem *very happy* A colleague installed a Cisco PKI some times ago and we compared together OpenCA's CA certificate with the CA certificate of Cisco PKI. We found out that the CA certificate of OpenCA had two empty entries in the extensions: subjectAltName and issuerAltName.
I changed the configuration of openssl on the ca server thus these two fields are not inserted in a certificate any more and now I can download the ca certificate with SCEP to my cisco router. In about 4 weeks I am ready with my bachelor exam and then I will make at least the SCEP and Cisco part available for every body. Perhaps then I can also give some hints that I will get from my case at cisco. If someone runs into similar problems before this time, just contact me and i will give you some more information. Kind regards, Matthias On 10/23/06, Matthias Alsmann <[EMAIL PROTECTED]> wrote: > Hi together, > > after I got SCEP successfuly working with the sscep client, I now > wanted to configure my cisco routers to get their certificates from my > OpenCA installation. > But already when I try to get my CA certificate, it fails with the > following error on my router: > > Router(config)#crypto ca authenticate OpenCA > > 00:03:40: CRYPTO_PKI: Sending CA Certificate Request: > GET > /cgi-bin/openca/scep/scep/pkiclient.exe?operation=GetCACert&message=OpenCA H > TTP/1.0 > > > 00:03:40: CRYPTO_PKI: can not resolve server name/IP address > 00:03:40: CRYPTO_PKI: Using unresolved IP Address 192.168.1.201 > % Error in receiving Certificate Authority certificate: status = FAIL, cert > leng > th = 0 > > Router(config)# > 00:03:42: CRYPTO_PKI: http connection opened > 00:03:43: CRYPTO_PKI: HTTP response header: > HTTP/1.1 200 OK > Date: Mon, 23 Oct 2006 09:56:31 GMT > Server: Apache/2.0.53 (Linux/SUSE) > Set-Cookie: CGISESSID=bb9e766287d5d0ad4cf7d1f2d0886c76; path=/ > Content-Length: 2697 > Connection: close > Content-Type: application/x-x509-ca-ra-cert > > Content-Type indicates we have received CA and RA certificates. > > 00:03:43: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=OpenCA) > > 00:03:43: crypto_certc_pkcs7_extract_certs_and_crls failed (1795): > 00:03:43: crypto_certc_pkcs7_extract_certs_and_crls failed > 00:03:43: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795 > > 00:03:43: CRYPTO_PKI: Unable to read CA/RA certificates. > 00:03:43: %CRYPTO-3-GETCARACERT: Failed to receive RA/CA certificates. > 00:03:43: CRYPTO_PKI: transaction GetCACert completed > > > My configuration on the cisco router (ok, not enough for requesting > certificates, but for downloading the ca cert it should be enough): > > crypto ca trustpoint OpenCA > enrollment mode ra > enrollment url http://192.168.1.201:80/cgi-bin/openca/scep/scep > > > My IOS-Version and hardware is: > Cisco 3620 with c3620-ik9o3s6-mz.123-20.bin > > I read through some older threads already mentioning this problem but > I could not find any hint what is wrong here. Perhaps someone of you > can help me. > > Kind regards, > > Matthias > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
