Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
Nikolai2018-05-17 01:10:07
Cisco
Nikolai, 2018-05-17 01:10:07

How to get a certificate from MS CA for "old" CISCO?

There is a park of old 2801 cisco with different software versions. (Some do not update for various reasons).
There used to be a certificate authority on MS server standart 2003 with SCEP Add-on installed - certificates were installed on all ciscos.
Now installed MS Sever standart 2016. Raised CA with NDES. Some routers receive certificates, and some do not.
Tried changing the key size. The algorithm was sha256rsa - it worked, changed to sha1rsa - everything also works on parts, on very old ones - no.
On these it does not receive certificates: c2801-advipservicesk9-mz.124-15.T5.bin
But on these it receives: c2801-advsecurityk9-mz.124-19b.bin
Log of the "old" cisco

spoiler
xNAME#debug crypto pki server
Crypto PKI Certificate Server debugging is on
xNAME#debug crypto pki transactions
Crypto PKI Trans debugging is on
xNAME#ter mon
xNAME#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
xNAME(config)#

001045: May 15 17:43:45.654 Moscow: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 10.10.10.117, remote= 10.10.10.170,
    local_proxy= 10.10.10.117/255.255.255.255/47/0 (type=1),
    remote_proxy= 10.10.10.170/255.255.255.255/47/0 (type=1)
001046: May 15 17:43:45.654 Moscow: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.10.10.117, remote= 10.10.10.170,
    local_proxy= 10.10.10.117/255.255.255.255/47/0 (type=1),
    remote_proxy= 10.10.10.170/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0xD7417C4F(3611393103), conn_id= 0, keysize= 0, flags= 0x400C
001047: May 15 17:43:45.658 Moscow: IPSEC(key_engine): got a queue event with 1 kei messagescrypto pki trustpoint my.Domen.ru
xNAME(ca-trustpoint)#enrollment url http://myUrl:80/certsrv/mscep/mscep.dll
xNAME(ca-trustpoint)#enrollment mode ra
xNAME(ca-trustpoint)#serial-number
xNAME(ca-trustpoint)# ip-address none
xNAME(ca-trustpoint)# revocation-check crl
xNAME(ca-trustpoint)#rsakeypair xNAME.my.Domen.ru
xNAME(ca-trustpoint)#crypto pki authenticate my.Domen.ru
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

001048: May 15 17:43:55.513 Moscow: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=my.Domen.ru HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)


001049: May 15 17:43:55.513 Moscow: CRYPTO_PKI: locked trustpoint my.Domen.ru, refcount is 1
001050: May 15 17:43:55.569 Moscow: CRYPTO_PKI: http connection opened
001051: May 15 17:43:55.573 Moscow: CRYPTO_PKI: unlocked trustpoint my.Domen.ru, refcount is 0
001052: May 15 17:43:55.573 Moscow: CRYPTO_PKI: locked trustpoint my.Domen.ru, refcount is 1
001053: May 15 17:43:55.917 Moscow: CRYPTO_PKI: unlocked trustpoint my.Domen.ru, refcount is 0
001054: May 15 17:43:55.917 Moscow: CRYPTO_PKI: HTTP response header:
 HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Tue, 15 May 2018 12:44:08 GMT
Connection: close
Content-Length: 3896

Content-Type indicates we have received CA and RA certificates.

001055: May 15 17:43:55.917 Moscow: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=my.Domen.ru)

001056: May 15 17:43:55.917 Moscow: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
001057: May 15 17:43:55.917 Moscow: crypto_certc_pkcs7_extract_certs_and_crls failed
001058: May 15 17:43:55.921 Moscow: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795

001059: May 15 17:43:55.921 Moscow: CRYPTO_PKI: Unable to read CA/RA certificates.
001060: May 15 17:43:55.921 Moscow: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
001061: May 15 17:43:55.921 Moscow: CRYPTO_PKI: transaction GetCACert completed


Unfortunately, I did not look at the version of the certificates that were before, but those that are easily replaced by the same version - V3.
joxi.ru/BA0avvnSJ5zVwr
There are no records of such unreceived certificates in the CA logs.
In what direction can you still "dig"? maybe there is an opportunity to simplify (downgrade) certificates?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
C
CityCat4, 2018-05-18
@CityCat4

Toward support of cipher suites. Most likely, the new CA does not support the old cipher suites - based on SSLv2, SSLv3 Or does not support SHA1, but only understands MD5. Or does not understand the length of the key - how much, by the way? Just very old ones can work with a key of no more than 512 bits and only with MD5 (though I don’t know how old it must be)

Similar questions
C
csergey2014-10-07 15:36:58
How to return the standard launch of CISCO? 2Reply
A
Alexey2019-03-12 10:50:50
How to play the message to the called subscriber and not to the SIP gateway? 0Reply
A
Alexander2014-10-24 09:25:34
How to forward RDP to cisco ASA c 9 ios? 2Reply
C
csergey2014-10-29 18:18:35
Need a server to log AAA events? 1Reply
I
Ilya bow2016-10-27 18:52:06
If the else in cisco switches. If the computer addresses on domen.ru:80 that the switch palms off server1 if domen.ru:99 that palms off server2. Really? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question