Hi!
How does the request look like in the openca interface?
I had some problems in the beginning, but we are using openca (but 9.2rc4,
never change a running system) and dozens of cisco pix firewalls for over 3
years now! There were some pitfalls in the beginning, but since 3 years
everything is OK.
I would suggest using ca configure ... 1 0 to make him try until he succedes.
But nonetheless the debug crypto ca should show that the pix tries to retrieve
the cert ever minute 20 times... the insert selfsigned certificate IIRC has
nothing to do with the retrieval of the singned cert from the ca.
but as this is more a cisco issue, I would suggest to call me ... just browse
to www.comnet.de, find the number for Würselen/Aachen. You can reach directly
me with -241 instead of -0
best regards,
jörg
Jörg Bartz, ComNet GmbH
________________________________
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Schimo Kai
Gesendet: Montag, 12. Februar 2007 12:58
An: [email protected]
Betreff: [Openca-Users] SCEP enrollment
Hello List,
I'm using openca 0.9.3 rc1.
I've configured the SCEP Interface for use with a CISCO PIX 501.
After I do the ca "enroll <ca-nick> <pwd>" I get the following output on the
PIX:
%
% Start certificate enrollment ..
% The subject name in the certificate will be: pixCAtest.badenit.intern
CI thread sleeps!
Crypto CA thread wakes up!
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
pixCAtest(config)#
pixCAtest(config)#
pixCAtest(config)#
CI thread wakes up!
CRYPTO_PKI: transaction PKCSReq completed
CRYPTO_PKI: status:
Crypto CA thread sleeps!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 2194 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while
selecting CRL
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while
selecting CRL
CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 f6 55 77 f3 a3 90 83 a7 56 83 a1 aa 59 d7 f8 df
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 38 39 33 34 34 32 30 64 33 63 61 31 36 30 66 36 33 37
62 31 61 61 38 61 37 39 31 33 64 39 37 36
CRYPTO_PKI: status = 102: certificate request pending
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 2194 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while
selecting CRL
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while
selecting CRL
CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 33
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 94 b5 5e 29 66 18 b9 55 56 d6 95 e2 e9 78 b8 5a
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 38 39 33 34 34 32 30 64 33 63 61 31 36 30 66 36 33 37
62 31 61 61 38 61 37 39 31 33 64 39 37 36
CRYPTO_PKI: status = 102: certificate request pending
CRYPTO_PKI: All enrollment requests completed.
Insert Selfsigned Certificate:
30 82 01 bf 30 82 01 69 02 20 38 39 33 34 34 32 30 64 33 63
61 31 36 30 66 36 33 37 62 31 61 61 38 61 37 39 31 33 64 39
37 36 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 5b 31
...and that's it.
I've configured the Pix with "ca configure <ca-nick> ra 1 20" so it should try
every minute to get the certificate and stop after 20 trys. But the pix insert
the cisco self signed certificate directly after submitting the request to
openca.
When I process the request through openca, and issue the certificate I have to
do the enrollment again to "import" the certificate into the PIX.
Does anybody know a solution, so that its possible to receive the Certificate
within the "first enroll process"???
Thanks for your help!!!
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
