cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9554
Views
18
Helpful
7
Replies

ESA - Validation Error : Certificates signature verification failed

LukasPlescher
Level 1
Level 1

While trying to renew our TLS Certificate we always receive the following error message when trying to submit it:

Validation Error : Certificates signature verification failed

We uploaded a PFX (PKCS#12) certificate which contains the certificate chain and the private key.

The certificate should be "globally recognized" since it was issued by SwissSign.

1 Accepted Solution

Accepted Solutions

UdupiKrishna
Cisco Employee
Cisco Employee

If you are on 14.2, there were new changes implemented surrounding how ESA trust/verifies a certificate that is attempted to be added. I suspect that either the root or intermediate certificate which is the issuer of this signed cert is not on ESA trusted CA store.

If they are not present, gather the copy of these certs in .pem format. Upload them as custom CA certificate, attempt the upload again

View solution in original post

7 Replies 7

UdupiKrishna
Cisco Employee
Cisco Employee

If you are on 14.2, there were new changes implemented surrounding how ESA trust/verifies a certificate that is attempted to be added. I suspect that either the root or intermediate certificate which is the issuer of this signed cert is not on ESA trusted CA store.

If they are not present, gather the copy of these certs in .pem format. Upload them as custom CA certificate, attempt the upload again

Hello UdupiKrishna,

After import the certificate in .pfx format it is again asking to Upload Signed Certificate: and which signed certificate do we need to upload is CA certificate or server certificate which needs to be uploaded here. I have tried both got the error like Certificates signature verification failed when i select the SERVER Certificate and "The certificate and key do not match" when i select CA certificate. 

Kindly help us in resolving this issue.

same issue, how can we upload a custom ca certificate in pem format, we only see the import for p12

To add a custom CA cert, in the GUI go to Network/Certificates.
In the middle of the page, there's a section for "Certificate Authorities". On the right end, click on Edit Settings and enable the Custom List, then submit, commit.
Certs are just special encrypted text... so you can take this file and from the page where you enabled the Custom List, you can import your one CA file.

If you need to ADD more than one, just take the text of each cert, and put them in a text file together so it looks like below, and import it as one file with all of the CA certs in it:

-----BEGIN CERTIFICATE-----
MIIHqTCCBZGdfafdagAwIBAgIQY.....
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIHqTCCdfa1dfaBZGgAwIBAgIQY.....
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIHqTCCBZGadfadfgAwIBAgIQY.....
-----END CERTIFICATE-----


Etc...


once uploaded the ca we were able to install the certificate. thanks

Thanks Ken, Now issue is resolved and i am able to upload the new certificates.

I have the same problem that p12 can import to v14.0 without issue but fail importing to v14.2.  The cert's CA is already listed in ESA and this cert is signed by Intermediate Certificate which I cannot import to ESA (said duplicated).