05-09-2023 06:09 AM
I believe this is the correct board for this question.
We have an Cisco 2110 ASA Firepower. Version: 2.10(1.182).
We are trying to update the SSL certificate in our ASA via CLI. When I enter the certificate and try to commit, I am getting this error:
[failed to verify certificate chain, error: Failed to split certificate chain]
This is our config for oue security portion:
scope security
disable cc-mode
disable fips-mode
enter keyring default
set elliptic-curve
set keypair-type rsa
set modulus mod2048
set regenerate no
! set cert
set trustpoint ""
exit
enter local-user admin
enter role admin
enter role read-only
set account-status active
set email ""
set expires no
set firstname ""
set lastname ""
set maxfailedlogins 0
! set password
set phone ""
set reset-password no
set sshkey none
exit
enter role admin
set privilege admin
exit
enter role read-only
set privilege read-only
exit
enter trustpoint CHdefault
set certchain
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----
ENDOFBUF
Obviously I edited the certificate just now, but the one I entered is untouched from the PEM file.
Am I missing something?
06-26-2023 09:35 AM
Hi,
There could be multiple reasons for the error :
- Issue with the certificate itslef generated by CA. ( you can try generating another one)
- It could be that you have Root and intermediate cert and issue with one of them/
I would recommed that you try the process again with new CSR request and try again.
if the issue is still there it would be a good idea to check with TAC as well.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------
Regards
Divya Jain
06-26-2023 10:32 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide