Answer the question
In order to leave comments, you need to log in
How to get a certificate from MS CA for "old" CISCO?
There is a park of old 2801 cisco with different software versions. (Some do not update for various reasons).
There used to be a certificate authority on MS server standart 2003 with SCEP Add-on installed - certificates were installed on all ciscos.
Now installed MS Sever standart 2016. Raised CA with NDES. Some routers receive certificates, and some do not.
Tried changing the key size. The algorithm was sha256rsa - it worked, changed to sha1rsa - everything also works on parts, on very old ones - no.
On these it does not receive certificates: c2801-advipservicesk9-mz.124-15.T5.bin
But on these it receives: c2801-advsecurityk9-mz.124-19b.bin
Log of the "old" cisco
xNAME#debug crypto pki server
Crypto PKI Certificate Server debugging is on
xNAME#debug crypto pki transactions
Crypto PKI Trans debugging is on
xNAME#ter mon
xNAME#conf t
Enter configuration commands, one per line. End with CNTL/Z.
xNAME(config)#
001045: May 15 17:43:45.654 Moscow: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.10.10.117, remote= 10.10.10.170,
local_proxy= 10.10.10.117/255.255.255.255/47/0 (type=1),
remote_proxy= 10.10.10.170/255.255.255.255/47/0 (type=1)
001046: May 15 17:43:45.654 Moscow: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.10.10.117, remote= 10.10.10.170,
local_proxy= 10.10.10.117/255.255.255.255/47/0 (type=1),
remote_proxy= 10.10.10.170/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0xD7417C4F(3611393103), conn_id= 0, keysize= 0, flags= 0x400C
001047: May 15 17:43:45.658 Moscow: IPSEC(key_engine): got a queue event with 1 kei messagescrypto pki trustpoint my.Domen.ru
xNAME(ca-trustpoint)#enrollment url http://myUrl:80/certsrv/mscep/mscep.dll
xNAME(ca-trustpoint)#enrollment mode ra
xNAME(ca-trustpoint)#serial-number
xNAME(ca-trustpoint)# ip-address none
xNAME(ca-trustpoint)# revocation-check crl
xNAME(ca-trustpoint)#rsakeypair xNAME.my.Domen.ru
xNAME(ca-trustpoint)#crypto pki authenticate my.Domen.ru
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
001048: May 15 17:43:55.513 Moscow: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=my.Domen.ru HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
001049: May 15 17:43:55.513 Moscow: CRYPTO_PKI: locked trustpoint my.Domen.ru, refcount is 1
001050: May 15 17:43:55.569 Moscow: CRYPTO_PKI: http connection opened
001051: May 15 17:43:55.573 Moscow: CRYPTO_PKI: unlocked trustpoint my.Domen.ru, refcount is 0
001052: May 15 17:43:55.573 Moscow: CRYPTO_PKI: locked trustpoint my.Domen.ru, refcount is 1
001053: May 15 17:43:55.917 Moscow: CRYPTO_PKI: unlocked trustpoint my.Domen.ru, refcount is 0
001054: May 15 17:43:55.917 Moscow: CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Tue, 15 May 2018 12:44:08 GMT
Connection: close
Content-Length: 3896
Content-Type indicates we have received CA and RA certificates.
001055: May 15 17:43:55.917 Moscow: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=my.Domen.ru)
001056: May 15 17:43:55.917 Moscow: crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
001057: May 15 17:43:55.917 Moscow: crypto_certc_pkcs7_extract_certs_and_crls failed
001058: May 15 17:43:55.921 Moscow: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1795
001059: May 15 17:43:55.921 Moscow: CRYPTO_PKI: Unable to read CA/RA certificates.
001060: May 15 17:43:55.921 Moscow: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
001061: May 15 17:43:55.921 Moscow: CRYPTO_PKI: transaction GetCACert completed
Answer the question
In order to leave comments, you need to log in
Toward support of cipher suites. Most likely, the new CA does not support the old cipher suites - based on SSLv2, SSLv3 Or does not support SHA1, but only understands MD5. Or does not understand the length of the key - how much, by the way? Just very old ones can work with a key of no more than 512 bits and only with MD5 (though I don’t know how old it must be)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question