1. Install CA cert
ciscoasa(config)# crypto ca trustpoint CA
ciscoasa(config-ca-trustpoint)# revocation-check crl
ciscoasa(config-ca-trustpoint)# enrollment url http://10.0.0.6/certsrv/mscep/mscep.dll
ciscoasa(config)# crypto ca authenticate CA
Debug output:
CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Content-Length: 4170
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/8.0
Date: Mon, 29 Apr 2013 11:13:14 GMT
Connection: close
Content-Type indicates we have received CA and RA certificates.
CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=CA)
INFO: Certificate has the following attributes:
Fingerprint: 537adc87 22cc6e2b 07fdf2e0 18d8ba8b
The PKCS #7 message contains 4 certificates.
CRYPTO_PKI:crypto_pkcs7_extract_ca_cert found cert
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: CA certificate received.
CRYPTO_PKI: crypto_pki_authenticate_tp_cert()
CRYPTO_PKI: trustpoint CA authentication status = 0
Trustpoint 'CA' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.
Depending on SCEP server configuration, a challenge password may be required to obtain certificate In Microsoft's SCEP implementation - NDES - we browse to
http://scepserver /CertSrv/mscep_admin to obtain the password
ASA config:
ciscoasa(config)# crypto ca trustpoint CA
ciscoasa(config-ca-trustpoint)# keypair testKey
ciscoasa(config-ca-trustpoint)#password C972703054ED1301
ciscoasa(config)# crypto ca enroll CA
% Start certificate enrollment ..
% The fully-qualified domain name in the certificate will be: ciscoasa.kp.local
% Include the device serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 123456789AB
Request certificate from CA? [yes/no]: yes
Debug output:
CRYPTO_PKI: Found a subject match - inserting the following cert record into certList
CRYPTO_PKI: Found a subject match - inserting the following cert record into certList
CRYPTO_PKI: Found a subject match - inserting the following cert record into certListThe certificate has been granted by CA!
Comments
Post a Comment