cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


494
Views
0
Helpful
7
Replies
Highlighted
Beginner

RA VPN SSL Cert Error in FMC

I recently uploaded an SSL cert to our FMC to apply to a RA VPN and received the error below. Is this expected when uploading a PKCS file?

image.png

7 REPLIES 7
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: RA VPN SSL Cert Error in FMC

Hi,
No this is not expected, you will need to import the Trusted Root certificate that signed the identity certificate:-

Objects > Object Management > PKI > Trusted CAs

HTH
Beginner

Re: RA VPN SSL Cert Error in FMC

I followed your instruction and uploaded the Root cert. The error is still showing, does the PCKS12 file need to be removed and re-added?

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: RA VPN SSL Cert Error in FMC

Actually checking my notes when I created the PKCS12 file, I included the Root certificate so therefore I didn't specifically import the root into the Trusted Root store - I did not receive the same error as you did. What did you include in your PKCS12 file? Perhaps re-create and import.

HTH
Beginner

Re: RA VPN SSL Cert Error in FMC

I included the root cert, the signed CA, and the private key. 

VIP Advocate

Re: RA VPN SSL Cert Error in FMC

If it is a multiple chain cert with Root and Sub CA's, try only adding the identity and immediate sub CA to the pkcs12 file. For example, if the chain is like this:

 

RootCA---> SubCA1---->SubCA2---->Identity Cert

 

Only add the SubCA2, identity cert and private key to the p12 file and test.

 

Also, to troubleshoot, run the following debugs on the diagnostic CLI when importing it via the FMC:

debug crypto ca 255

debug crypto ca messages 255

debug crypto transactions 255

 

 

Beginner

Re: RA VPN SSL Cert Error in FMC

I uploaded only the SubCA, the identity cert, and the private key and received the same error. I ran the debugs but didn't receive anything during the upload.

Beginner

Re: RA VPN SSL Cert Error in FMC

Uploading only the Sub-CA, Private Key, and Identity cert to the PKCS file resolved the issue. Any reason why it would cause a problem to keep the root cert in the file?