Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance

jer0nim0x — Tue, 12 Mar 2019 02:22:44 GMT

Hi,

basically I am trying to achieve what's documented in

http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704

(using ASDM: "crypto ca import" = Remote Access VPN -> Certificate Management -> Code Signer -> Import)

I give it a complete PKCS12 bundle (unencrypted private key + certificates up to the root CA) to the ASA.

I can indeed verify that it has been imported correctly by exporting it again:

crypto ca export CodeSignerBundle pkcs12 1234

It shows me the private key and all the certificates.

However, the jars used in WebVPN, while carrying the correct certificate, don't have a full certification chain at their disposal:

Using jarsigner -verify I see on a random file from the jar:

sm 905 Fri Nov 30 00:00:00 CET 1979 Java/lang/CpUtf8.class

X.509, CN=COMMONNAME, O=ORGANIZATION, L=LOCATION, ST=STATE, C=COUNTRY

[certificate is valid from 8/1/13 4:30 PM to 8/1/16 4:30 PM]

X.509, CN=LuxTrust Qualified CA, O=LuxTrust S.A., C=LU

[certificate is valid from 6/5/08 11:25 AM to 10/18/16 12:40 PM]

[CertPath not validated: Path does not chain with any of the trust anchors]

Indeed the certificate file inside the jar (META-INF/.....RSA) does not contain what I uploaded to the ASA. One of the intermediary certificates is missing (while another certificate is listed twice).

What could be the problem here? (ASA v8.2(5))

Thanks for any help,

Marki

topic Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance in Network Security

Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance