Valid Cisco VPN certificate in keychain is not found by setup

Similar Messages

• A valid provisioning profile for this executable was not found

  I have built an enterprise APP. It has been installed in hundreds of machine. It can run smoothly at the begining. After two months, a few of the machice cannot open the APP anymore. I have tried to read its crach log and it has nothing. Finally, i found out the reason by tracing the console log.
  The error is "A valid provisioning profile for this executable was not found".
  So I check if the file exist but it is disappeared. The user have not removed the profile.
  At last, I tried to install the profile again, it is still not working even the profile is installed. Is there anyone who have the same issue? Thank you very much
  Message was edited by: Ben125

  Sorry that I have made a mistake. A wrong profile is installed.
  Thanks

• Cisco VPN Certificate

  I was trying to setup the Cisco VPN with SL. I just got to the point where I have to select the certificate (instead of shared secret key). Everytime I click on "Select..." it says "Keine Rechner-Zertifikate gefunden" (in English: "No computer certificates found")
  What's the exact problem?

  i have the same problem! Please Help

• Cisco Works error URN_NOT_FOUND : urn "JRM":Not found !!

  Hi,
  I have a Cisco works server running LMS 2.6 version.Server was working fine without any issues.Suddenly i started facing an issue when i try to create a Netconfig Job.The error i am facing  is " Error occured while processing.Possible Cause: URN_NOT_FOUND : urn "JRM":Not found !!   
  Also observed CWCS cmf database engine, dfmFh database engine and dfmInv database engine servives are not starting.The pdshow output is also not giving any output.It end with error GetReply failed.
  Please let me know if you have any idea on this error.
  Thanks & Regds,
  Lalit

  Hi Afroj,
  I have tried the procedure which you have mentioned but it didnt work.I tried removing the ctmregistry file and started the serices.But the Cisco works server still has issues.
  LMS is not integrated with ACS.Its a standalone server.(Non ACS )
  pdshow output does not give any output.It comes as error as " GetReply Failed " I am not getting any output from pdshow.
  Please find the attached screen shot of services.msc and common service home page.
  Please let me know if you have any suggestions.
  Thanks & Regds,
  Lalit

• Email address domain not found (OWA setup)

  We have an in-house exchange server (SBS 2008) and have had 5 users successfully using blackberries for close to a year via setting up the OWA (outlook web access) at nextel.blackberry.com.
  2 days ago one of the users upgraded his blackberry and email stopped working (both peronsal POP email as well as exchange email through OWA).
  We deleted all the accounts at the nextel.blackberry.com website and tried to re-add them.  The personal MSN POP3 email was added successfully and is working great.  However when we try to add the account for OWA access, we get the error message "Email address domain not found".
  Now I know that message comes up initially if you enter a password on the first screen.  But we still get this message on the advanced OWA setup screen.  We spent 2 hours on the phone with both nextel AND RIM and all either could tell us is that something must be wrong with our exchange server. (they were not able to add it either).
  Well, our exchange server is running strong sending and receiving emails, we have several users throughout the country accessing OWA without ANY problems AND we have 4 blackberry users that are still active and receiving emails from our exchange server without any problem.
  Any thoughts?  FYI we are running through postini for inbound/outbound email BUT this has never posed an issue previously for all the blackberries setup in the past year.

  I was able to resolve this on my own.  Apparently Blackberry's website app scans for what it considers to be valid MX records on the domain of the email address you're trying to send.  We use postini for inbound/outbound and as a result had no MX records that pointed directly to our server.
  When I added an additional MX record pointing directly to our server, blackberry's website was then able to add the account.  After the account was added I was then able to remove the MX record and the blackberry continues to function.

• Cisco Prime Infrastructure 1.2 OVA not found

  Hi all,
  I want to download Cisco Prime Infrastructure 1.2 OVA but I can't find it, there is just  "Cisco Prime Infrastructure 1.2 Plug and Play for Virtual Appliance " . Is this the right OVA ?
  Thanks for your help
  BR
  Aaziz

  Hi Aaziz,
  Unfortunately this download of this file is not available anymore on cisco.com site.
  As an alternative, you can download PI 1.3 OVA, where you can find the same features and
  interface:
  http://software.cisco.com/download/release.html?mdfid=284652876&softwareid=284272932&relea
  se=1.3&relind=AVAILABLE&rellifecycle=&reltype=all
  Note:  you can use the same license of PI 1.2 on PI 1.3
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• Airport express not found after setup

  I have a maddening situation. At the beginning of setting up my airport extreme, the computer has no problem finding the wireless device. However, after the A/E is configured and added to my current network (linksys router), the computer can't find the A/E anymore.
  What's going on?

  The following are Apple's instructions for setup using the Airport Setup Assistant, which is different from Airport Utility, but most of the steps are the same. Some are important for your installation, such as "do NOT select extend the range of my Airport..." and entering your network password correctly. Some steps, like plugging in the Airport, you probably already figured out
  Since your router is a Linksys product, after the Express is set up you will no longer be able to see it using Airport Utility. The reason is that you set up the Express using its wireless network (Apple Network xxxxxx), which is subsequently disabled after setup. Once you're done and you click Update you'll be using your Linksys wireless network. Airport Utility only recognizes Airport networks. You didn't create one with your Express nor do you want to given your desired setup. If you need to use Airport Utility to configure the Express again you'll need to perform a hard reset.
  If everything's right and you have checked iTunes Preferences > Devices "look for remote speakers connected with Airtunes" option you should see a new menu appear in the lower right of the iTunes window.
  If this doesn't work, try disabling your router's encryption temporarily to simplify things. Reset the Express and run Airport Utility without a password this time. You may also need to modify your Sharing > Firewall settings too.
  Hope it helps!
  Plug AirPort Express into a power outlet.
  On your computer, join the wireless network created by AirPort Express.
  Open AirPort Setup Assistant. Mac users: Find it in /Applications/Utilities/. Windows users: On the Start menu, point to All Programs and click AirPort.
  When you see the Introduction screen, click Continue.
  Select "Set up a new AirPort Base Station" and click Next.
  When the AirPort Setup Assistant confirms that it has found your AirPort Express, click Continue. (If >your AirPort Express wasn't found, click Try Again.)
  Select "Connect to my current wireless network."
  Be sure that "Extend the range of my AirPort wireless network" is not selected (this option is used >only for WDS).
  Click Next; AirPort Express Assistant will scan for your existing wireless network. Once it finds it, click Next again.
  Choose the correct network (there may only be one) from the Wireless Network Name menu. If the wireless network is password protected, you will be prompted to enter the password. Enter the password and then click Next to continue.
  Note: If you have difficulty with your password, you can get help with joining a third-party WEP-protected network.
  Enter the name of your AirPort Express.
  Tip: If you don't know the name, it's what appears in iTunes as the name of your AirTunes remote speakers.
  Click Next.
  Assign an administrator password for AirPort Express. This password can be different from any network password, and is used for just changing settings on AirPort Express.
  The Summary screen outlines the configuration options you've set. Optionally, you can click Show Passwords to review the administrator and network passwords. Finally, click Next to update AirPort Express with your settings.

• Gpibprop.dll not found in setup

  I've been using the GPIB PCll with Labview and MatLab and Newport Motion Controller for a few years. I received updates to Labview and Matlab receintly and installed the updates. Now I can't access any of the instruments, nor does the GPIB show up on the configuration list.

  Hi Ronald,
  I am not familiar with MatLab so I cannot speak about their products, but what updates did you make? By configuration list do you mean the Measurement and Automation Explorer (MAX)? Did you try refreshing the list with the F5 key (in MAX)?
  With some more detail I will do my best to help you out!
  Best Regards,
  Aaron K.
  Application Engineer
  National Instruments

• ASA and Cisco VPN question

  I am having an issue on a new ASA. I am able to connect to the customer?s network using the Cisco VPN client, but I am not able to PING or access anything on the customers network. What needs to be done to fix this???
  There is a route on the customer?s router pointing back to the firewall for the IP range you get when you VPN in?
  Thanks,
  Chris

  Thanks, please rate.
  No, it is needed for pix as well. ASA 7.2, the command is "crypto isakmp nat-traversal".
  It is necessary if vpn client is connecting behind nat. Allows ipsec to be encapsulated in udp port 4500. The transport tab I mentioned is in the connection entry properties, if you click modify. You will see enable transparent tunneling over udp.

• Problems w/ VPN Server & Cisco VPN Client on same machine

  I really wish that I read about how the developer of the program iVPN no longer supports his work BEFORE I paid for it. It's a great, simple, GUI frontend to the existing Leopard VPN server built in to regular (non-server) OSX...
  Anyway, on my Mac that stays @ home:
  (1) - I have the iVPN server set up & running to allow me to connect (from my iphone or another computer on the road) to my Mac @ home using L2TP.
  (2) - When I'm @ home and need to connect to my company's network, I need to use the Cisco VPN Client (which uses IPSec etc).
  So, I found out that when I need to use my Mac to connect to work, I first have to open up the iVPN server to click "Stop Server" (which has me enter my password twice sometimes). Now I close iVPN until I'm done, then open up Activity Monitor for the purpose of finding the still-running process "racoon". I realized this not because it's published info, but because if I don't do this, and try to connect to work using the Cisco VPN Client, it simply will not connect. So, I quit the process "racoon" (which also has me enter my password because it's running as root yada yada). NOW, I can load Cisco VPN Client and successfully connect to my company's network. When I'm finished here, I disconnect the C.V.C., then reopen iVPN Server and restart my server (enter password again).
  Is there any way I can make the process "racoon" quit automatically when I turn off the iVPN server? I'd email the developer but I guess that's a lost cause now. It's a shame because he did a fabulous job making iVPN & gave the less computer-networking-literate-user the ability to create their own VPN server without using Terminal.
  I thought about the possibility of using iVPN to create a PPTP connection instead of L2TP - thinking that would allow me to keep my iVPN PPTP server running at all times, even when I wanted to use the CVC to connect OUT to work - but:
  (1) - I would like the increased security of L2TP.
  (2) - When I tried running a PPTP server, and connecting to it from iPhone or other computer, I was NOT able to access the other devices on my network, or the internet. I couldn't even open up a webpage to check whatismyip.com (while sending all traffic over VPN). And yes, the IP Address Range that I have iVPN handing out is within my normal home network's range.
  My end goal for all of this when using my Mac is to be able to leave my iVPN server running at all times, while still being able to run the Cisco VPN CLIENT to connect to my company's network.
  Or, at least not having to open up Activity Monitor to quit the process racoon... let alone having to enter my password 3 times after opening up iVPN, again to stop the server, again to quit the process racoon. Then a forth when I'm all done and need to start the iVPN server again.
  Am I going about this the wrong way? Is there an easier way to accomplish these secure connections? There is a slight possibility of me upgrading and running a dedicated Mac Mini server of some sort perhaps with the real OSX Server. But not right now. I think I'm over complicating this. I mean, my needs are pretty simple:
  (1) - Need to connect TO my Mac from IPhone / someone else's Mac or PC for: VNC over SSH, SSH/SFTP file level access, in the future shared network volumes (time capsule). I'd use Back To My Mac for all of this but I don't always connect FROM a Mac.
  (2) - Need to connect FROM my Mac to work VPN for: VNC to my work PC to access our company's Windows-only program (dual booting into boot camp or using a virtual machine is out of the question), using Mocha for AS400 access, thinking about using file sharing on work PC but not needed so far.
  So it's really just VNC and sometimes SFTP. The "S" being important to me. That's why I don't like the idea of doing away with my iVPN server and just forwarding the outside ports. I use the Vine VNC Server which when checked, only allows access over SSH. The only other remote-logins are used from my iphone using an app called BriefCase (SSH to browse files on remote machine), or using an SFTP client on a computer.
  Thank you for reading all of this, and in advance for any insight you can offer.

  If the two servers need the same ports, then hosting two different VPN packages on the same box usually won't work.
  A firewall-based VPN service can be an option; that external box can deal with NAT and routing and other such and can field incoming or LAN-to-LAN VPNs, and your internal Mac boxes located "behind" that box can be free to initiate outbound VPNs.

• Mac constantly says keychain not found

  My Mac constantly brings up a message telling me the keychain is not found. I just click cancel but it is an annoyance. I tried to reset my default keychain in the Keychain Access program but it brings up a UNIX (Invalid Argument) message. Any ideas?

  There are several possible causes for this issue. Please take each of the following steps that you haven't already tried, testing after each one, until it's resolved. Back up all data before making any changes.
  Step 1
  Follow the directions in this support article.
  Step 2
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
  Select the iCloud keychain from the list on the left side of the Keychain Access window. If your default keychain has a different name, select that.
  If the lock icon in the top left corner of the window shows that the keychain is locked, click to unlock it. You'll be prompted for the keychain password, which is the same as your login password.
  Select
            Keychain Access ▹ Keychain First Aid
  from the menu bar and repair the keychain.
  Step 3
  Open the iCloud preference pane and uncheck the Keychain box. You'll be prompted to delete the local iCloud keychain. Confirm. Then re-check the box. Follow one of the procedures described in this support article to set up iCloud Keychain on an additional device.
  Step 4
  Open the Keychains folder as in Step 1. There should be a file in that folder with the name "login.keychain". If there is also a file iwith the name "login_renamed_1.keychain", then please do as follows:
  ☞ Rename login.keychain to "login-old.keychain".
  ☞ Rename login_renamed_1.keychain to "login.keychain".
  You can then close the folder. 
  Delete the login keychain from the keychain list in Keychain Access. Choose Delete References when prompted, not Delete References & Files.
  Select
            File ▹ Add Keychain...
  from the menu bar. Add back the file now named "login.keychain". If any of your needed keychain items are missing from it, also add back the file now named "login-old.keychain". I suggest you transfer any needed items from that keychain to the login keychain, then delete it. The transfers are made by drag-and-drop in Keychain Access. You'll need to enter your password for each item transferred. 
  Run Keychain First Aid again. Quit Keychain Access.

• Server not found in Kerberos database (7)

  Hi!
  Running the examples from
  http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab
  works fine for me as long as I use the Kerberos test realm I have set up on a unix machine. But when I run the same classes against our Active Directory, the client spills a stacktrace, indicating that AD can not find the server in its database. But it actually is in that database, as the sample server can perfectly authenticate as exactly that principal!
  Enabling all security related debug info i could find, this is the client dump:
  $ java -Djava.security.auth.login.config=jaas-krb5.conf
       -Djava.security.krb5.kdc=##KDC##
       -Djava.security.krb5.realm=##REALM##
       -Dsun.security.jgss.debug=true
       -Dsun.security.krb5.debug=true
       -Djava.security.debug="logincontext,policy,scl,gssloginconfig"
       GssClient host ##SERVER##
  scl:  getPermissions ProtectionDomain  (file:/xxxxx/ <no signer certificates>)
  sun.misc.Launcher$AppClassLoader@11b86e7
  <no principals>
  java.security.Permissions@1a46e30 (
  (java.io.FilePermission \xxxxx\- read)
  (java.lang.RuntimePermission exitVM)
  scl:
  Debug is  true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is nu
  ll isInitiator true KeyTab is null refreshKrb5Config is false principal is xxxxx tryFirstPass is tru
  e useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\xxxxxAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  client=##USER##@##REALM##
  server=krbtgt/##REALM##@##REALM##
  authTime=20070705103930Z
  startTime=20070705103930Z
  endTime=20070705203930Z
  renewTill=20070712103930Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 23
  Principal is ##USER##@##REALM##
                  [Krb5LoginModule] authentication succeeded
          [LoginContext]: login success
  Commit Succeeded
          [LoginContext]: commit success
  Authenticated principal: [##USER##@##REALM##]
  Connected to address ##SERVER##/xxxxx
  xxxxx
  create server name with host@##SERVER##
  Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
  Found ticket for ##USER##@##REALM## to go to krbtgt/##REALM##@##REALM## expiring on Thu Jul
  05 20:39:30 GMT 2007
  Entered Krb5Context.initSecContext with state=STATE_NEW
  Found ticket for ##USER##@##REALM## to go to krbtgt/##REALM##@##REALM## expiring on Thu Jul
  05 20:39:30 GMT 2007
  Service ticket not found in the subject
  Credentials acquireServiceCreds: same realmUsing builtin default etypes for default_tgs_enctypes
  default etypes for default_tgs_enctypes: 3 1 23 16 17.
  CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
  EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  KrbKdcReq send: kdc=##KDC## UDP:88, timeout=30000, number of retries =3, #bytes=1328
  KDCCommunication: kdc=##KDC## UDP:88, timeout=30000,Attempt =1, #bytes=1328
  KrbKdcReq send: #bytes read=101
  KrbKdcReq send: #bytes read=101
  KDCRep: init() encoding tag is 126 req type is 13
  KRBError:         sTime is Thu Jul 05 14:43:05 GMT 2007 1183646585000
           suSec is 487997
           error code is 7
           error Message is Server not found in Kerberos database
           realm is ##REALM##
           sname is host/##SERVER##
           msgType is 30
  KrbException: Server not found in Kerberos database (7)
          at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
          at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
          at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at GssClient$GssClientAction.run(GssClient.java:171)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.Subject.doAs(Unknown Source)
          at Jaas.loginAndAction(Jaas.java:94)
          at GssClient.main(GssClient.java:97)
  Caused by: KrbException: Identifier doesn't match expected value (906)
          at sun.security.krb5.internal.KDCRep.init(Unknown Source)
          at sun.security.krb5.internal.TGSRep.init(Unknown Source)
          at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
          ... 13 more
  Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentia
  ls provided (Mechanism level: Server not found in Kerberos database (7))
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.Subject.doAs(Unknown Source)
          at Jaas.loginAndAction(Jaas.java:94)
          at GssClient.main(GssClient.java:97)
  Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerbero
  s database (7))
          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at GssClient$GssClientAction.run(GssClient.java:171)
          ... 4 more
  Caused by: KrbException: Server not found in Kerberos database (7)
          at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
          at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
          at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
          ... 8 more
  Caused by: KrbException: Identifier doesn't match expected value (906)
          at sun.security.krb5.internal.KDCRep.init(Unknown Source)
          at sun.security.krb5.internal.TGSRep.init(Unknown Source)
          at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
          ... 13 moreWhy's AD claiming in the KRBError that it can't find a sname/realm which exactly matches the principal it accepted for the server? This totally confuses me! Can please anyone bring some light?
  Regards

  It works now!!!
  The exact procedure is:
  - Create a new user in AD with an arbitrary name <username>. Use the same name in "User Logon Name", "User Logon Name (pre Win2K)" and "First Name" (odd, isn't it).
  - Set the password, deactivate "User has to change the password at first logon", and activate "Password never expires"
  - Create a mapping for the service name by entering into the command line: ktpass -princ "<protocol>/<fqdn>@<realm>" -mapuser "<username>@<realm>" -pass "*" -out dummy.keytab
  - Check that the mapping is set and unique; use adsiedit.msc (Windows Support Tools).
  - Now you can use the Java tool ktab to create your own keytab as usual and go.
  But it is a science in its own right to correctly configure an Active Directory , especially for use with Kerberos. In particular error messages are hardly useful (as it is generally the case in the Kerberos world). It may help to read:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=99b0f94f-e28a-4726-bffe-2f64ae2f59a2&DisplayLang=en
  and
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en
  Have fun!

• Patch failing with Class not found: oracle.apps.ad.jri.adjcopy

  Hi.
  Running a patch today and it is failing with:
  Class not found: oracle.apps.ad.jri.adjcopy
  The log states this:
  STRT_TASK: [Run adjcopy.class] [] [Tue Mar 02 2010 13:18:22]
  Running adjcopy.class:
  adjava -mx512m -nojit oracle.apps.ad.jri.adjcopy @D:\oracle\testappl\admin\TEST\out\apps.cmd
  Error:
  Program exited with status 1
  Cause: The program terminated, returning status code 1.
  adjava -mx512m -nojit oracle.apps.ad.jri.adjcopy @D:\oracle\testappl\admin\TEST\out\apps.cmd
  Calling D:\oracle\testcomn\util\jre\1.1.8\bin\jre.exe ...
  Class not found: oracle.apps.ad.jri.adjcopy
  AD Run Java Command is complete.
  D:\oracle\testappl\admin\TEST\out>
  I have tried running maually and still no luck.
  It is a frteshly cloned environment. Autoconfig has been run successfully.
  The only help from Metalink was that I have unzipped the patches in a folfer with space in it. So I renamed folder but still same error.
  The patch is 7415848 ATG Framework Patch.
  oracle 11.5.10.2, Windows 2003, RDBMS 10.2.
  Thanks in advance,
  DA
  Another thing I tried was to relink, but got the following:
  Do you wish to force regeneration of all jar files? [No] ?
  Generating any out of date or missing jar files.
  Signing product JAR files in JAVA_TOP -
  D:\oracle\testcomn\java
  using entity Customer and certificate 1.
  Class not found: oracle.apps.ad.jri.adjversion
  AD Administration error:
  aiojavaGetJavaVersion(), ERROR [code= 1] creating javaversionFile.
  Error : java version file format not correct
  adogjf() Unable to generate jar files under JAVA_TOP
  Backing up restart files, if any......Done.
  You should check the file
  D:\oracle\testappl\admin\TEST\log\adadmin.log
  for errors.
  D:\oracle\testappl\ad\11.5.0\bin>
  Edited by: Dan A on Mar 2, 2010 10:03 AM

  Dan,
  Please see if these documents are applicable.
  Note: 392870.1 - Generate product JAR files aiojavaGetJavaVersion(),ERROR creating javaVersionFile
  Note: 264911.1 - adutilities error out aiojavaGetJavaVersion(), Error creating javaversionFile
  Regards,
  Hussein

• Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

  We find ourselves in a difficult situation with the
  Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
  "Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
  There is no additional information in the VPN client logs where we have set 3-High for all logs.
  In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
  To create and enrol a certificate we do the following:
  1. Click on the Enroll button to show the Certificate Enrolment dialog
  2. Select  Online
  3. Select <New> for Certificate Authority
  4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
  5. Click Next to display the dialog where we can enter certificate details
  6. Enter details in all fileds except IP Address and Domain
  7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
  If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
  The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
  We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
  Thank you
  Emil

  FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
  Cisco2691#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Cisco2691(config)#crypto pki server CERTSERVER
  Cisco2691(cs-server)#grant ?
    auto     Automatically grant incoming SCEP enrollment requests
    none     Automatically reject any incoming SCEP enrollment request
    ra-auto  Automatically grant RA-authorized incoming SCEP enrollment request
  Cisco2691(cs-server)#grant auto
  % The CS config is locked. You need to shut the server off before changing its configuration.
  Cisco2691(cs-server)#shut
  Cisco2691(cs-server)#grant auto
  Cisco2691(cs-server)#
  Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
  Cisco2691(cs-server)#no shut
  % Certificate Server enabled.

• Using Cisco VPN client certificate for built in IPSec?

  Hi,
  Does anybody know if it is possible to "convert" a certificate exported from Cisco VPN client and import it into the Keychain for using it with built-in IPSec in Snow Leopard?
  Thanks,
  Oli

  I too am having trouble importing the Cisco certificate. It would be nice for some clear documentation. We've been successful converting the x.509 cer to KPCS#7 using openssl which will import into the keychain. However, the VPN (Cisco IPSec) sill doesn't see it.