ISE - whereby the CRL broke all our certificate authentication

Similar Questions

• Trying to install Flash Player. Get the message: "internal error, Abort: certificate authentication failed, please reinstall to fix the problem. How do I thia?

  All the details in the title

  This solved it for me:
  1. click on start... Run
  2. type in the text box: "gpedit.msc" and press enter
  3. open in the left panel:
  Configuration of the user... Windows settings... Maintenance of Internet Explorer... Security
  4. click on "Authenticode Settings" in the right panel
  5 uncheck "Enable trusted publisher lockdown" and click OK

  It should work now...
  

• How can I know the FULL domain name & names for the installation of a digital certificate Public in ISE?

  We are implemented a project with Cisco ISE; but comments Portal appears to users as a "untrusted site". For problems, a public digital certificate must be installed in Cisco ISE, so he can send it to users who enter the comments Web portal.

  Now... to sell me the certificate, VERISIGN needs to know settings ISE of the certificate, such as name of area COMPLETE, names subnames, etc... How can these parameters of ISE?

  Thaks a lot!

  This isn't an easy question to answer, there are a ton of variables to include

  Local web site Central Web Auth or Auth

  LWA, the WLC is the "man in the Middle" to the request of the customer for PSN (server nodes), the WLC takes the request webauth and resembles webauth then the redirect URL that you put in the WLC

  If the redirect webauth URL is https://ise01.mycompany.com:8443/guestportal/login.action, the WLC is a redirect but the virtual IP address comes in 1.1.1.1, who was as trustworthy or redirection complains, then you may have to get the public certificate for the fqdn of 1.1.1.1, and the comment server. You can create a CSR using openssl or you can just enter in ISE and create a CSR, but you can only set CN = ise01.mycompany.com and nothing else, as long you have a single NHP is good, but if you have several Ssnp, you need to change your CSR so that you have to use openssl to create CSR using a file openssl.cnf and then with openssl, you do the following:

  openssl req - new - nodes-out openssl.cnf omf-01 - ise04.csr - config

  You must do it the way I said above regardless of CWA or LWA, if you have more than one PSN, you must point to a FULL VIP domain name and then configure your DNS to answer for these host names. With LWA, you get virtual IP WLC involved 1.1.1.1, so you don't have to worry about getting a certificate for this, it is a cleaner installation, but you must always do all the rest. It must ensure that users of your guests have the opportunity to join the portal comments and be able to solve the given DNS the dns server that they have been configured with.

  Content of the file openssl.cnf:

  [req]
  nom_distinctif = req_distinguished_name
  req_extensions = v3_req
  default_bits = 2048

  [req_distinguished_name]
  countryName = name of the country (2-letter codes)
  countryName_default = en
  localityName = name of the locality (for example, City)
  organizationalUnitName = organizational unit name (for example, section)
  commonName = Common Name (eg, YOUR name)
  commonName_max = 64
  emailAddress = Email address
  emailAddress_max = 40

  [v3_req]
  keyUsage = keyEncipherment, dataEncipherment
  extendedKeyUsage = AutClient, serverAuth
  subjectAltName = @alt_names

  [alt_names]
  DNS.1 = guest.mycompany.com
  DNS.2 = guest.mycompany.com
  DNS.3 = ise01.mycompany.com

• problem with the ios certificate server does not update the CRL

  Hi all

  The background is that I'm putting a DMVPN solution with tunnels ipsec between the rays created by using certificates.

  I use a cisco 877 as the CA server (its 12.4 (6) T5) running to provide certificates for the spoke routers. This part works very well - rays can apply for a certificate and get a number very well.

  The problem is CA, life of LCR is set to 24 hours, but the CA is not updated the LCR so when the rays see CRL (as defined in their trustpoint) they point to a mistake that the CRL is obsolete and does not connect.

  If making a ' #sh cryptographic pki server ' it lists a ' CRL NextUpdate timer. It has a timestamp that is 24 hours after the last certificate was revocked. The only way I can get the LCR to be rebuilt must revoke a certificate.

  So, my question is, am I missing something here? I thought that it would automatically generations a new CRL list file every 24 hours.

  Can anyone help?

  Thank you.

  Hey Marc (?)

  This seems to correspond to this bug:

  CSCsy95838    AC IOS: LCR of the not updated, update timer not started

  However, it does not mention if 12.4 (6) T5 is affected, only that it was found 12.4 (15) T3 and resolved to 12.4 (15) T10 and other more recent versions.

  I suggest trying the last 12.4 (15) Tx, 15.0 (1) Mx or 15.1 (4) Mx version if you can.

  I assumed that you have much of it, but just in case: as a workaround, you can disable CRL checking on all routers DMVPN, of course they will still allow connections from routers with a revoked RADIUS.

  As (temporary?) substitute for a Revocation list, you can use a 'certificate ACL' with which you can create kind of a 'local CRL Manual:

    crypto pki certificate map certACL 10    serial-number ne    serial-number ne    etc. 

    crypto pki trustpoint myTP

     match certificate certACL
  
      (note the "ne" stands for "not equal" so you are permitting any certificate whose serial number is not listed) 

  Of course, you would have to configure (and maintain!) participating on each router in the DMVPN so it's heavy, but I guess if you revoke often certs, that it might be an option.
  HTH
  Herbert

  --

  If this post answered your question, please click the button of "right answer".

• I worked on the Web site of our Church and all of a sudden my computer does not connect to the site. I get a message saying that the connection to the server was reset while the page is loading. Can anyone has any ideas on how I fix?

  I worked on the Web site of our Church and all of a sudden this week, my computer does not connect to the site. I get a message saying that the connection to the server was reset while the page is loading. Can anyone has any ideas on how I fix?

  The error message "the connection was reset" can be caused by a bug for the attack of the BEAST fix (browser exploit against SSL/TLS) that the server does not support.

  • [918127/questions/918127]
  • [918028/questions/918028]

• Renew the certificate of identity on Cisco ASA 5505, do I have to renew all user certificates?

  n00b questions.

  I have to renew my SSL certificate of identity soon on my Cisco ASA 5505.  I'll have to renew all my certificates for client on their devices, so they can establish a vpn tunnel?

  Hi dsartoros,

  If you encounter a self signed (generated locally) identity certificate renewed, then you will need to download this certificate on the clients so that they can connect without getting "untrusted server certificate error".

  If you renew a certificate issued by a 3rd party CA (sending of CSR to CA) and certificate, then you will not need to make any changes on the client as they already trust the certification authority that issues the certificate first root.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• ISE 1.2 CRL

  Hello

  A quick this time...

  What box asks the LCR? the ADM or the PSN?

  am just assum that port 80 must be open on the ADM FW or PSN to the location of the CRL

  THX

  ISE supports two methods to check the revocation status of a client certificate or server that is issued by a particular CA. The first is to validate the certificate using the State Protocol OCSP (Online Certificate), which made a request to an OCSP service, maintained by the certification authority.  The second is to validate the certificate against a certificate revocation list (CRL) that is downloaded from the CA in ISE. These two methods can be activated, whereby case OCSP is used first, and only if a status determination can only be made the LCR is used.

  Please check the links that may be useful in the following configurations:

  Link-1

  http://www.Cisco.com/en/us/docs/security/ISE/1.0/user_guide/ise10_man_cert.html

• ASA 8.4 (6) "cannot retrieve or check the CRL.

  Hello

  I have configured our ASA to retrieve a list of Revocation provided through our Linux certification authority. The LCR is exported via Tinyca as a crl file and served by Apache.

  The file is accessible by the SAA and to date, I see an http 200 (OK). Despite this, I get an "impossible to extract or to check the Revocation list.

  The ASA is configured as follows:

  crypto ca trustpoint LINUX-CA-TP
  
      revocation-check crl none
  
      enrollment terminal
  
      crl configure
  
        policy static
  
        url 1 http:///issuingca.crl
  
        no protocol ldap
  
        no protocol scep
  

  Which allows to debug and try a "request for LRC crypto ca LINUX-CA-TP:

  ASA (config)# crypto ca crl request LINUX-CA-TP
  CRYPTO_PKI: CRL is being polled from CDP http:///issuingca.crl.
  Unable to retrieve or verify CRL
  
      vpn015pi(config)#
  
      CRYPTO_PKI: HTTP response header:
  
      HTTP/1.1 200 OK
  
      Date: Wed, 18 Dec 2013 12:49:01 GMT
  
      Server: Apache/2.2.22 (Ubuntu)
  
      Last-Modified: Wed, 18 Dec 2013 09:50:20 GMT
  
      ETag: ...
  
      Accept-Ranges: bytes
  
      Content-Length: 1170
  
      Connection: close
  
      Content-Type: application/x-pkcs7-crl
  CRYPTO_PKI: transaction HTTPGetCRL completed
  

  I'm a little puzzled. The error is not really tell where the ASA is exactly a failure!

  Thank you

  Hello.

  I know this is a late response, but I found the solution.

  My CA was created through openssl commands and LCR was coppied to the www server. I installed the CA ASA certificate and I tried to check the Revocation list. But he has failed. It's the debug output:

  CRYPTO_PKI: CRL is being polled from CDP http://x.x.x.x/ca/root-ca/root-ca.crl.crypto_pki_req(0x00007fff2b9e3900, 24, ...)CRYPTO_PKI: Crypto CA req queue size = 1.Crypto CA thread wakes up!CRYPTO_PKI: http connection openedCRYPTO_PKI: content dump count 81----------CRYPTO_PKI: For function crypto_http_sendGET /ca/root-ca/root-ca.crl HTTP/1.0Host: x.x.x.x
  
  CRYPTO_PKI: For function crypto_http_sendCRYPTO_PKI: content dump-------------------
  
  CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OKDate: Wed, 13 Jan 2016 08:10:01 GMTServer: Apache/2.4.7 (Ubuntu)Last-Modified: Tue, 12 Jan 2016 10:12:50 GMTETag: "31c-529204bc05097"Accept-Ranges: bytesContent-Length: 796Connection: closeContent-Type: application/x-pkcs7-crl
  
  CRYPTO_PKI: CRL data2d 2d 2d 2d 2d 42 45 47 49 4e 20 58 35 30 39 20 | -----BEGIN X509 ...
  
  CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!CRYPTO_PKI: Failed to retrieve CRL for trustpoint: ASDM_TrustPoint3. Retrying with next CRL DP...

  Because the CRL file has been downloaded, I check my LCR with the command openssl on my linux server:

  openssl crl -inform PEM -text -in crl/root-ca/root-ca.crl Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer:  Last Update: Jan 12 10:09:33 2016 GMT Next Update: Jan 11 10:09:33 2017 GMT CRL extensions: X509v3 Authority Key Identifier:  keyid:E9:5E:25:61:EB:5D:9D:7E:2E:1A:3A:DA:71:B3:7B:C2:55:8D:59:66
  
   Authority Information Access:  CA Issuers - URI:http://x.x.x.x/ca/root-ca/root-ca.cer
  
   X509v3 CRL Number:  1No Revoked Certificates. Signature Algorithm: sha256WithRSAEncryption...
  
  -----BEGIN X509 CRL-----...-----END X509 CRL-----

  I founded CRL file is in PEM format. And because another available in LRC format is DER format I have converted to DER format and copied to the www server.

  openssl crl -inform PEM -outform DER -in crl/root-ca/root-ca.crl -out crl/root-ca/root-ca-der.crl

  After that I tried to download file CRL my ASA again and he succeeded.

   CRYPTO_PKI: CRL is being polled from CDP http://x.x.x.x/ca/root-ca/root-ca.crl.crypto_pki_req(0x00007fff2b9e3900, 24, ...)CRYPTO_PKI: Crypto CA req queue size = 1.Crypto CA thread wakes up!CRYPTO_PKI: http connection openedCRYPTO_PKI: content dump count 81----------CRYPTO_PKI: For function crypto_http_sendGET /ca/root-ca/root-ca.crl HTTP/1.0Host: x.x.x.x
  
  CRYPTO_PKI: For function crypto_http_sendCRYPTO_PKI: content dump-------------------
  
  CRYPTO_PKI: HTTP response header: HTTP/1.1 200 OKDate: Wed, 13 Jan 2016 08:28:08 GMTServer: Apache/2.4.7 (Ubuntu)Last-Modified: Wed, 13 Jan 2016 08:25:54 GMTETag: "227-52932eb2c1926"Accept-Ranges: bytesContent-Length: 551Connection: closeContent-Type: application/x-pkcs7-crl
  
  CRYPTO_PKI: CRL data30 ...
  
  CRYPTO_PKI: Found suitable tpCRYPTO_PKI: Found suitable tpCRYPTO_PKI: Failed to create name objects to compare DNs. status = 1795CRYPTO_PKI(select cert) subject = ...CRYPTO_PKI: Found a subject match - inserting the following cert record into certListCRYPTO_PKI: Storage context locked by thread Crypto CA
  
  CRYPTO_PKI: inserting CRLCRYPTO_PKI: set CRL update timer with delay: 31455520CRYPTO_PKI: the current device time: 08:30:53 UTC Jan 13 2016
  
  CRYPTO_PKI: the last CRL update time: 10:09:33 UTC Jan 12 2016CRYPTO_PKI: the next CRL update time: 10:09:33 UTC Jan 11 2017CRYPTO_PKI: CRL cache delay being set to: 3600000CRYPTO_PKI: Storage context released by thread Crypto CA
  
  CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!

• ACS 5.2.0.26 recovery of the CRL to MS Certification Authority

  Hi we're question retrieve the CRL.

  Another example of what we like our URL to our CRL in the certificate issuing and root on GBA.

  http://XYZ-CA-issuer.com./CertEnroll/XYZ%20Root%20CA.CRL

  I saw a post

  https://supportforums.Cisco.com/docs/doc-2760

  This article describes our problem, but in the latest version of the CSA, I am unable to put a space instead of % 20.

  This one is for ACS 4.

  CSCtj15117 5 ACS does not support space (20%) in the URL of the CRL

  However, this bug has been marked Unreproducible because he was working in certain configurations and failing in one.

  I suggest that you work with TACS to analyze your configuration and possibly resurrect this bug if necessary.

  Nicolas

• Create the Ipsec tunnel using digital certificates

  Hello

  I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.

  Before that I added the CA server all go smoothly.

  Attached is my configuration, attached debug commands from the configuration of server and router CA

  It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:

  #
  R3 #.
  R3 #show cryptographic pki certificate cisco talkative
  CA
  Status: available
  Version: 3
  Certificate serial number (hex): 01
  Use of certificates: Signature
  Issuer:
  CN = cisco1. Cisco.com L\ = RTP it\ = US
  Object:
  CN = cisco1. Cisco.com L\ = RTP it\ = US
  Validity date:
  start date: 10:12:13 UTC Sep 8 2013
  end date: 10:12:13 UTC Sep 7 2016
  Subject key information:
  Public key algorithm: rsaEncryption
  RSA Public Key: (512 bits)
  Signature algorithm: MD5 with RSA encryption
  Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
  Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
  X509v3 extensions:
  X509v3 Key use: 86000000
  Digital signature
  Key Cert sign
  Signature of the CRL
  X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
  X509v3 Basic Constraints:
  CA: TRUE
  X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
  Access to information the authority:
  Related Trustpoints: cisco
  Storage: nvram:cisco1ciscoc #4CA.cer

  R3 #.

  Appreciate your support and I will send additional if necessary evidence

  TX

  Roee

  I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:

  To view the pending requests:

  information cryptographic pki server router 'CA '.

  To grant requests pending:

  Info Server 'CA' router cryptographic pki grant all

• Is there a problem with firefox does not, it's happening on all our computers at work and at home. It takes about 10 seconds, then stops responding.

  I read FF posts of the community, and it seems to be a problem with a lot of ppl. It happened for about 3 days now on all our computers at home and work. This cannot just be linked to a computer if this happens for many. I was wondering if there is a general problem with FF, is that what is happening for many users. When I start FF I am lucky to get 10 sec before it does more, ready to give FF film! I use it in safe mode now & use of IE next until I find another solution other than resetting FF. FF should maybe see if there is a problem at their end, & then show us how to fix it.

  To return to regard to extensions, you can view and update the extensions on page modules. Either:

  • CTRL + SHIFT + a
  • Firefox orange (or the Tools menu) button > Add ons

  In the left column, click Extensions. Click the "gear" above the list, and then use the check for updates.

  You can also disable non-essential or unrecognized extensions (or so obviously not good, remove them).

  Typically, a link will appear above at least an extension disabled/removed to restart Firefox. You can complete your work on the tab and click one of the links in the last step.

  Any improvement?

• Accelerated release of Firefox calendar is at the origin of the compatibility issues with our intranet applications - where can I find the terms of this annex, including the end of support dates?

  We are a University use an updated internal development of e-Learning applications which makes use of a framework rich client (ZK - www.zkoss.org). For reasons of compatibility with this application, as well as other general factors, we have standardized on FF 3.6 browser for all our desktop computers. Normally, we will review our browser selection once a year and make the changes/updates to compatibility level for 3 rd-party libraries we use and our own code, in order to address new developments in the browser market.

  However the FF of the new policy of difficult liberation our lives check. FF 6 came out just months after 5 FF. We perform an upgrade, we have to do a systematic series of tests, settings, changes etc. regression tests. The cost is not possible for us to do this every 3 months! So please can anyone point us to a clear release plan for FF that shows, for each version:

  a. Release date
  b. End-of-support date
  c. Release notes
  d. Compatibility in terms of HTML and Javascript/ECMAScript versions.
  

  https://wiki.Mozilla.org/RapidRelease/calendar
  
  https://wiki.Mozilla.org/releases

  New versions are will be released every 6 weeks, so until Mozilla announced they will do than support for a LTS version for business 'customers', you guys left to swing in the breeze as well as to be able to plan for the future with Firefox. I think that as long as the said decision is taken, support for Firefox 3.6 versions will continue. A 3.6.22 release is under development right now, probably for immediate release next week.

  As far as the end of support dates, as each new version is the version support ends for the previous version, with the exception of 3.6.x. currently Firefox 3.6.x and 6.0.x are the only versions that receive security updates. Firefox 4.0 and 5.0 is not 'supported' any longer.

• How to clear all SSL certificate exceptions?

  I want to erase all certificate exceptions, in other words, to return to the original set of SSL certificates secure by default. I found the Manager certificates and its large lists of things trust, but I don't know which of them bundled with Firefox and which of them were added by me at some point in the past. How can I do this?

  Rename or remove the file cert8.db in the profile folder to delete all intermediate certificates that Firefox has stored by visiting secure Web sites.

  Certificates roots of build-in will display as "Builtin symbolic object" and intermediate certificates stored as 'software security device.

  Rename or remove the cert_override.txt (cert_override.txt.old) file in the Firefox profile folder to remove any permanent exceptions that you have saved.

• When I install FSX SP2, the box of the menu showing the plan chosen and also in the game, the graphics are all messed up (black, black with lines on the screen and so on) do not know what to do? I need help.

  I have FSX Deluxe. When I installed FSX SP1, it was all fine, but when I installed FSX SP2 graphics were messed up. So I uninstalled FSX SP2 and tried again, and it was the same thing. So I uninstalled FSX all together and reinstalled fresh and put on FSX SP1, it was going well until I put FSX SP2, the same thing happened again, messed up graphics.

  So I uninstalled FSX SP2 and updated my drivers graphic and tried again and the same thing happened.

  I need help please.
  Thank you

  Hi Mmarshall_1993,

  Welcome to the Microsoft Answers site.

  We would like to get a better understanding of this issue, so we can better help not only you but other users with similar problems.

  (a) what operating system do you use?

  Method 1:

  Adjust display settings

  Many recent Microsoft games require a card video and monitor that can run a resolution of at least 800 x 600 in color (16 bit). Set the resolution of Windows display on 800 x 600 in color (16 bit), and then test the game. To do this, follow these steps:

  1. in Windows XP, click Start, point to settings and then click Control Panel.
  In Windows Vista, click on start to reduce this includes personalization thtype in the Search box and then click on personalization in the programs list.

  2. in Windows XP, double-click display.
  In Windows Vista, click display settings.

  3. click on the settings tab.

  4. move the slider of the desktop area or screen area slider to 800 x 600 pixel definition.

  5. in the Color Palette box or in the color box, click colors (16 bit).

  6. click OK and then click OK again.

  7. click Yes to accept the setting.

  Method 2:

  Adjust graphics hardware acceleration

  To adjust graphics hardware acceleration, use the method described for the operating system that you use:

  ·         Windows Vista

  1. click on start to reduce this includes this ima, type personalization in the Start Search box, and then click personalization in the list of programs .

  2. click on display settings.

  3. click on Advanced settings.

  4. click the Troubleshooting tab, and then click change settings.

  Reduce this includes this imIf that you are prompted for an administrator password or a confirmation, type the password or click on allow.

  5. move the notches on both Hardware Acceleration slider to the left of full (the parameter disable the accelerations of cursor and bitmap ).

  6. click OK and then click restart now.

  7. once the computer has restarted, test the game.

  ·         Microsoft Windows 2000 or Windows XP

  1. click on Start, point to settings and then click Control Panel.

  2. double-click on display.

  3. on the settings tab, click Advanced.

  4. click on the Troubleshooting tab.

  5. move the notches on both Hardware Acceleration slider to the left of full (the turn off all cursor and advanced drawing accelerations setting).

  6. click OK and then click OK again.

  7. test the game.

  Method 3:

  Check or turn on Direct 3D

  To check or turn on Windows XP Direct3D acceleration, follow these steps:

  1. click on Start, click run, type dxdiag , and then click OK.

  2. on the display tab, verify that all DirectX features are enabled. If all the features are disabled, click enable next to the feature.
  Note If some DirectX features are unavailable, verify that your video card meets the minimum requirements.

  For more information, follow the below mentioned articles.

  How to resolve display issues in Microsoft games

  http://support.Microsoft.com/kb/263039

  The Flight Simulator X game display flickers and are damaged on a Windows Vista-based computer that is connected to multiple monitors

  http://support.Microsoft.com/kb/933590

  Hope this information is useful.

  Thanks and regards.

  Thahaseena M
  Microsoft Answers Support Engineer.
  Visit our Microsoft answers feedback Forum and let us know what you think.

• Error message "revocation information for the security for this site certificate not available. Do you want? [Yes] [No] [View the certificate]

  For awhile, I got the dialog box with «security alert "revocation information for the security for this site certificate not available.» Do you want? [Yes] [No] [View the certificate] ". » I know that many, if not all, sites are OK because I used them several times in the past.

  I tried different "fixed" found by Google "revocation information" and nothing solves the problem - what is.

  When I try to make various updates, not related to this problem, I can not download updates due to a security problem.

  Suggestions for a computer challenged the user? Thank you.

  Richard

  http://www.brighthub.com/Internet/Security-Privacy/articles/82291.aspx

  read this, see if he can address your question.