discmakers
asked on
Can not install certificate in local VPN client
Hello,
We have a Cisco ASA 5510 handling VPN with certificates from a Microsoft 2003 Standard Server with a Standalone CA server configured on it. A few weeks ago our cert on our ASA expired against the CA server and we reapplied for a new cert to the ASA. Users who still have a valid cert against our CA server can use these certs to authenticate to VPN and gain access. So that's good but the bad news is if your cert expired, you can not reapply for a certificate nor can a brand new system apply for a certificate. Like I said, we can run existing certs against the ASA and I know that creating a group auth account works (which has been the work around for the time being for the expired cert users).
If I try to do SCEP enrollment via http, I get an "Error 42: Unable to create certificate enrollment request." From Cisco's site, this is what the error means "Description or Action:
The VPN Client was unable to create an enrollment request to enroll the certificate with a certificate authority."
If I try it via creating a cert file enrollment on the client, enrolling manually through the CA and export out a file to import into the VPN client, I get "Error 39: Unable to import certificate." which this description is "Description or Action: The VPN Client was unable to import the certificate. The file path for the certificate may be incorrect or there may be a problem with the file system."
Below in the code snippets, I'll put the 2 separate logs from the client when I try to do it's respective action.
Any and all help is great appreciated.
Brett
We have a Cisco ASA 5510 handling VPN with certificates from a Microsoft 2003 Standard Server with a Standalone CA server configured on it. A few weeks ago our cert on our ASA expired against the CA server and we reapplied for a new cert to the ASA. Users who still have a valid cert against our CA server can use these certs to authenticate to VPN and gain access. So that's good but the bad news is if your cert expired, you can not reapply for a certificate nor can a brand new system apply for a certificate. Like I said, we can run existing certs against the ASA and I know that creating a group auth account works (which has been the work around for the time being for the expired cert users).
If I try to do SCEP enrollment via http, I get an "Error 42: Unable to create certificate enrollment request." From Cisco's site, this is what the error means "Description or Action:
The VPN Client was unable to create an enrollment request to enroll the certificate with a certificate authority."
If I try it via creating a cert file enrollment on the client, enrolling manually through the CA and export out a file to import into the VPN client, I get "Error 39: Unable to import certificate." which this description is "Description or Action: The VPN Client was unable to import the certificate. The file path for the certificate may be incorrect or there may be a problem with the file system."
Below in the code snippets, I'll put the 2 separate logs from the client when I try to do it's respective action.
Any and all help is great appreciated.
Brett
Error 42 Logs:
Cisco Systems VPN Client Version 4.9.01.0180
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Mac OS X
Running on: Darwin 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386
11627 16:15:34.216 07/10/2009 Sev=Debug/7 GUI/0x43B0000B
The value for vpnclient.ini variable KeySize is 2048.
11628 16:16:09.830 07/10/2009 Sev=Warning/3 CERT/0x83600019
Unexpected end of Header.
11629 16:16:09.899 07/10/2009 Sev=Info/4 CERT/0x43600021
Setting key size of 2048 for pkcs10 request.
11630 16:16:14.114 07/10/2009 Sev=Info/5 CERT/0x43600001
Success: enveloped message.
11631 16:16:14.297 07/10/2009 Sev=Info/5 CERT/0x43600001
Success: signed message.
11632 16:16:14.297 07/10/2009 Sev=Info/5 CERT/0x43600001
Success: Encrypted and Signed PKCS request message.
11633 16:16:14.519 07/10/2009 Sev=Warning/3 CERT/0x83600019
Unexpected end of Header.
11634 16:16:14.524 07/10/2009 Sev=Info/4 CERT/0x43600006
Success for: CEP response VERIFY.
11635 16:16:14.524 07/10/2009 Sev=Info/6 CERT/0x4360000B
CEP response Attribute 'MessageType' was '3'.
11636 16:16:14.524 07/10/2009 Sev=Info/6 CERT/0x4360000B
CEP response Attribute 'PKIStatus' was '2'.
11637 16:16:14.525 07/10/2009 Sev=Info/6 CERT/0x4360000B
CEP response Attribute 'FailInfo' was 'Transaction not permitted or supported'.
11638 16:16:14.525 07/10/2009 Sev=Info/6 CERT/0x4360000B
CEP response Attribute 'ContentType' was '2A864886F70D010701'.
11639 16:16:14.525 07/10/2009 Sev=Info/6 CERT/0x4360000B
CEP response Attribute 'MessageDigest' was '93B885ADFE0DA089CDF634904FD59F71'.
11640 16:16:14.525 07/10/2009 Sev=Info/6 CERT/0x4360000B
CEP response Attribute 'SenderNonce' was 'F39D48864F6D524DA185D92136449384'.
11641 16:16:14.525 07/10/2009 Sev=Info/6 CERT/0x4360000B
CEP response Attribute 'RecipientNonce' was 'CC0266EF8FA1C25F6826137875F67301'.
11642 16:16:14.525 07/10/2009 Sev=Info/6 CERT/0x4360000B
CEP response Attribute 'TransactionID' was '6DC93532E93DBFDEF554B21C111F3656'.
11643 16:16:14.525 07/10/2009 Sev=Info/4 CERT/0x43600001
CEP received message type is '3'.
CertRep pkiStatus is '2'.
CertRep failInfo is '2'.
11644 16:16:14.525 07/10/2009 Sev=Info/4 CERT/0x43600008
Certificate request failed with reason 'Transaction not permitted or supported'.
11645 16:16:14.525 07/10/2009 Sev=Info/4 CERT/0x43600009
Deleting request and corresponding public/private keys.
11646 16:16:14.528 07/10/2009 Sev=Info/4 CERT/0x4360000A
CEP response state was: 'FAILURE'.
Error 39 Logs:
Cisco Systems VPN Client Version 4.9.01.0180
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Mac OS X
Running on: Darwin 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386
11647 16:16:59.691 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportMyCertAndKey: 1798
11648 16:16:59.692 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportCertFromPkcs12File fail: 1797
11649 16:16:59.692 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportCertsFromPkcs7File fail: 1795
11650 16:16:59.692 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - BCert_ImportDERFile fail: 1795
11651 16:16:59.692 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportCertsFromPkcs7File fail: 1795
11652 16:16:59.692 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportCertsFromPkcs7File fail: 1795
11653 16:16:59.693 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportMyCertAndKey: 1798
11654 16:16:59.693 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportCertFromPkcs12File fail: 1797
11655 16:16:59.693 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportCertsFromPkcs7File fail: 1795
11656 16:16:59.693 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - BCert_ImportDERFile fail: 1795
11657 16:16:59.693 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportCertsFromPkcs7File fail: 1795
11658 16:16:59.693 07/10/2009 Sev=Warning/3 CERT/0x8360000C
Certificate import failed - ImportCertsFromPkcs7File fail: 1795
I'm having the same problem no matter what I do I can't new certificates onto the clients.
My laptop still has a valid cert and I'm still able to use the Enroll Wizard to use SCEP to get certificates so I'm it seems as though the Cert Server is still happy to issue certs.
When I'm trying to request a new Cert using the VPN Client the error comes back very quick as if its not even been to the Cert Server and nothing is logged on the Cert Server that I can see.
When I request a cert from my laptop the same way it takes a couple of second and then responses with the request complete message.
Not sure if you have noticed that?
My laptop still has a valid cert and I'm still able to use the Enroll Wizard to use SCEP to get certificates so I'm it seems as though the Cert Server is still happy to issue certs.
When I'm trying to request a new Cert using the VPN Client the error comes back very quick as if its not even been to the Cert Server and nothing is logged on the Cert Server that I can see.
When I request a cert from my laptop the same way it takes a couple of second and then responses with the request complete message.
Not sure if you have noticed that?
Also when Enrolling for a new cert does the ASA get envolved or is it just between the Client and the Cert Server?
I've just managed to fix mine,
when I was using the Enroll wizrd within the VPN Client I forgot to add the domain in the field between CEP URL and Challenge Password.
Even though my Cert Server is a standalone Windows 2003 Server and a Standalone CA I specified the DNS domain and this resolved it.
hope it helps you.
when I was using the Enroll wizrd within the VPN Client I forgot to add the domain in the field between CEP URL and Challenge Password.
Even though my Cert Server is a standalone Windows 2003 Server and a Standalone CA I specified the DNS domain and this resolved it.
hope it helps you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks,
Brett