URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 10220
[ Назад ]

Исходное сообщение
"Получение сертификата СА"

Отправлено mig , 31-Мрт-06 16:06 
Оборудование - Cisco 2821, прошивка C2800NM-ADVIPSERVICESK9-M
На windows 2003 server развернул Microsoft CA, установил поддержку SCEP в MS CA.
Соответственно развернул IIS.
На циске такой конфиг:

crypto pki trustpoint msca
enrollment retry period 10
enrollment url http://10.1.0.78:80/certsrv/mscep/mscep.dll
revocation-check crl
rsakeypair 2821key 2048 2048
auto-enroll 90 regenerate

Далее

crypto pki auth msca

выдает следующее:
% Error in receiving Certificate Authority certificate: status = FAIL, cert leng
th = 0

AT_Router_2821(config)#
*Mar 31 12:00:57.070: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=msca HTTP
/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)


*Mar 31 12:00:57.070: CRYPTO_PKI: can not resolve server name/IP address
*Mar 31 12:00:57.070: CRYPTO_PKI: Using unresolved IP Address 10.1.0.78
*Mar 31 12:00:57.074: CRYPTO_PKI: http connection opened
*Mar 31 12:00:57.086: CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 31 Mar 2006 12:03:57 GMT
Server: Microsoft-IIS/6.0
Content-Length: 4083
Content-Type: application/x-x509-ca-ra-cert

Content-Type indicates we have received CA and RA certificates.

*Mar 31 12:00:57.090: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=msca)

*Mar 31 12:00:57.110: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
*Mar 31 12:00:57.110: crypto_certc_pkcs7_extract_certs_and_crls failed
*Mar 31 12:00:57.110: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

*Mar 31 12:00:57.110: CRYPTO_PKI: Unable to read CA/RA certificates.
*Mar 31 12:00:57.110: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
*Mar 31 12:00:57.110: CRYPTO_PKI: transaction GetCACert completed

Почему циска воспринимает сертификат от MS CA?


Содержание

Сообщения в этом обсуждении
"Получение сертификата СА"
Отправлено skor , 31-Мрт-06 17:50 
добавьте в crypto pki trustpoint msca
  enrollment mode ra

и fingerprint вашего CA.


>Оборудование - Cisco 2821, прошивка C2800NM-ADVIPSERVICESK9-M
>На windows 2003 server развернул Microsoft CA, установил поддержку SCEP в MS
>CA.
>Соответственно развернул IIS.
>На циске такой конфиг:
>
>crypto pki trustpoint msca
> enrollment retry period 10
> enrollment url http://10.1.0.78:80/certsrv/mscep/mscep.dll
> revocation-check crl
> rsakeypair 2821key 2048 2048
> auto-enroll 90 regenerate
>
>Далее
>
>crypto pki auth msca
>
>выдает следующее:
>% Error in receiving Certificate Authority certificate: status = FAIL, cert leng
>
>th = 0
>
>AT_Router_2821(config)#
>*Mar 31 12:00:57.070: CRYPTO_PKI: Sending CA Certificate Request:
>GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=msca HTTP
>/1.0
>User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
>
>
>*Mar 31 12:00:57.070: CRYPTO_PKI: can not resolve server name/IP address
>*Mar 31 12:00:57.070: CRYPTO_PKI: Using unresolved IP Address 10.1.0.78
>*Mar 31 12:00:57.074: CRYPTO_PKI: http connection opened
>*Mar 31 12:00:57.086: CRYPTO_PKI: HTTP response header:
> HTTP/1.1 200 OK
>Connection: close
>Date: Fri, 31 Mar 2006 12:03:57 GMT
>Server: Microsoft-IIS/6.0
>Content-Length: 4083
>Content-Type: application/x-x509-ca-ra-cert
>
>Content-Type indicates we have received CA and RA certificates.
>
>*Mar 31 12:00:57.090: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=msca)
>
>*Mar 31 12:00:57.110: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
>*Mar 31 12:00:57.110: crypto_certc_pkcs7_extract_certs_and_crls failed
>*Mar 31 12:00:57.110: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>
>*Mar 31 12:00:57.110: CRYPTO_PKI: Unable to read CA/RA certificates.
>*Mar 31 12:00:57.110: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
>*Mar 31 12:00:57.110: CRYPTO_PKI: transaction GetCACert completed
>
>Почему циска воспринимает сертификат от MS CA?



"Получение сертификата СА"
Отправлено mig , 31-Мрт-06 18:50 
>добавьте в crypto pki trustpoint msca
>  enrollment mode ra
>
>и fingerprint вашего CA.
>
>
>>Оборудование - Cisco 2821, прошивка C2800NM-ADVIPSERVICESK9-M
>>На windows 2003 server развернул Microsoft CA, установил поддержку SCEP в MS
>>CA.
>>Соответственно развернул IIS.
>>На циске такой конфиг:
>>
>>crypto pki trustpoint msca
>> enrollment retry period 10
>> enrollment url http://10.1.0.78:80/certsrv/mscep/mscep.dll
>> revocation-check crl
>> rsakeypair 2821key 2048 2048
>> auto-enroll 90 regenerate
>>
>>Далее
>>
>>crypto pki auth msca
>>
>>выдает следующее:
>>% Error in receiving Certificate Authority certificate: status = FAIL, cert leng
>>
>>th = 0
>>
>>AT_Router_2821(config)#
>>*Mar 31 12:00:57.070: CRYPTO_PKI: Sending CA Certificate Request:
>>GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=msca HTTP
>>/1.0
>>User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
>>
>>
>>*Mar 31 12:00:57.070: CRYPTO_PKI: can not resolve server name/IP address
>>*Mar 31 12:00:57.070: CRYPTO_PKI: Using unresolved IP Address 10.1.0.78
>>*Mar 31 12:00:57.074: CRYPTO_PKI: http connection opened
>>*Mar 31 12:00:57.086: CRYPTO_PKI: HTTP response header:
>> HTTP/1.1 200 OK
>>Connection: close
>>Date: Fri, 31 Mar 2006 12:03:57 GMT
>>Server: Microsoft-IIS/6.0
>>Content-Length: 4083
>>Content-Type: application/x-x509-ca-ra-cert
>>
>>Content-Type indicates we have received CA and RA certificates.
>>
>>*Mar 31 12:00:57.090: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=msca)
>>
>>*Mar 31 12:00:57.110: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
>>*Mar 31 12:00:57.110: crypto_certc_pkcs7_extract_certs_and_crls failed
>>*Mar 31 12:00:57.110: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>>
>>*Mar 31 12:00:57.110: CRYPTO_PKI: Unable to read CA/RA certificates.
>>*Mar 31 12:00:57.110: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
>>*Mar 31 12:00:57.110: CRYPTO_PKI: transaction GetCACert completed
>>
>>Почему циска воспринимает сертификат от MS CA?

enrollment mode ra добавляется автоматически, когда вызываешь cry pki auth msca, а вот насчет fingerprint'а в доке написано, что при приеме сертификата должен выдать запрос на введение fingerprint'а... так ли это на самом деле...


"Получение сертификата СА"
Отправлено mig , 31-Мрт-06 19:02 
>добавьте в crypto pki trustpoint msca
>  enrollment mode ra
>
>и fingerprint вашего CA.
>
>
>>Оборудование - Cisco 2821, прошивка C2800NM-ADVIPSERVICESK9-M
>>На windows 2003 server развернул Microsoft CA, установил поддержку SCEP в MS
>>CA.
>>Соответственно развернул IIS.
>>На циске такой конфиг:
>>
>>crypto pki trustpoint msca
>> enrollment retry period 10
>> enrollment url http://10.1.0.78:80/certsrv/mscep/mscep.dll
>> revocation-check crl
>> rsakeypair 2821key 2048 2048
>> auto-enroll 90 regenerate
>>
>>Далее
>>
>>crypto pki auth msca
>>
>>выдает следующее:
>>% Error in receiving Certificate Authority certificate: status = FAIL, cert leng
>>
>>th = 0
>>
>>AT_Router_2821(config)#
>>*Mar 31 12:00:57.070: CRYPTO_PKI: Sending CA Certificate Request:
>>GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=msca HTTP
>>/1.0
>>User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
>>
>>
>>*Mar 31 12:00:57.070: CRYPTO_PKI: can not resolve server name/IP address
>>*Mar 31 12:00:57.070: CRYPTO_PKI: Using unresolved IP Address 10.1.0.78
>>*Mar 31 12:00:57.074: CRYPTO_PKI: http connection opened
>>*Mar 31 12:00:57.086: CRYPTO_PKI: HTTP response header:
>> HTTP/1.1 200 OK
>>Connection: close
>>Date: Fri, 31 Mar 2006 12:03:57 GMT
>>Server: Microsoft-IIS/6.0
>>Content-Length: 4083
>>Content-Type: application/x-x509-ca-ra-cert
>>
>>Content-Type indicates we have received CA and RA certificates.
>>
>>*Mar 31 12:00:57.090: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=msca)
>>
>>*Mar 31 12:00:57.110: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
>>*Mar 31 12:00:57.110: crypto_certc_pkcs7_extract_certs_and_crls failed
>>*Mar 31 12:00:57.110: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
>>
>>*Mar 31 12:00:57.110: CRYPTO_PKI: Unable to read CA/RA certificates.
>>*Mar 31 12:00:57.110: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
>>*Mar 31 12:00:57.110: CRYPTO_PKI: transaction GetCACert completed
>>
>>Почему циска воспринимает сертификат от MS CA?


Не помогает. Не получает циска сертификат CA.


"Получение сертификата СА"
Отправлено OFFSIDE , 08-Авг-07 07:29 
http://download.microsoft.com/download/c/e/e/ceef4ccf-b603-4...