Re: RA VPN SSL Cert Error in FMC

Scott_22 · ‎05-20-2019

I recently uploaded an SSL cert to our FMC to apply to a RA VPN and received the error below. Is this expected when uploading a PKCS file?

Rob Ingram · ‎05-20-2019

Hi,
No this is not expected, you will need to import the Trusted Root certificate that signed the identity certificate:-

Objects > Object Management > PKI > Trusted CAs

HTH

Scott_22 · ‎05-21-2019

I followed your instruction and uploaded the Root cert. The error is still showing, does the PCKS12 file need to be removed and re-added?

Rob Ingram · ‎05-21-2019

Actually checking my notes when I created the PKCS12 file, I included the Root certificate so therefore I didn't specifically import the root into the Trusted Root store - I did not receive the same error as you did. What did you include in your PKCS12 file? Perhaps re-create and import.

HTH

Scott_22 · ‎05-22-2019

I included the root cert, the signed CA, and the private key.

Rahul Govindan · ‎05-22-2019

If it is a multiple chain cert with Root and Sub CA's, try only adding the identity and immediate sub CA to the pkcs12 file. For example, if the chain is like this:

RootCA---> SubCA1---->SubCA2---->Identity Cert

Only add the SubCA2, identity cert and private key to the p12 file and test.

Also, to troubleshoot, run the following debugs on the diagnostic CLI when importing it via the FMC:

debug crypto ca 255

debug crypto ca messages 255

debug crypto transactions 255

Scott_22 · ‎05-22-2019

I uploaded only the SubCA, the identity cert, and the private key and received the same error. I ran the debugs but didn't receive anything during the upload.

Scott_22 · ‎05-22-2019

Uploading only the Sub-CA, Private Key, and Identity cert to the PKCS file resolved the issue. Any reason why it would cause a problem to keep the root cert in the file?