Jason,

I was recently able to get the CCME command line configuration to take a "self-signed" cert from the ASA.  The issue with that was that it needed to be converted from base64 to binary.  My next step is going to try to work through getting the GoDaddy certs working but I am hoping the issue may be something similar, but I have not had time to work through all of it yet though.  I will post notes from TAC case related to both issues.  If you have any luck please let me know. 

Good luck.

First Part dealing with Self signed Cert _______________________________________________________________

The error message implies an issue with the cert

As a result, we need to import the cert chain for the wildcard certificate. Prior to doing this, we need to  export the pkcs12 cert from the ASA.  Then, we should convert the certificate file from base64 to binary (der).

Not sure what utilities you have available, openssl can do this:

  openssl base64 -d -in -out

Then, we can import the key and certificate chain via the following:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_pki/configuration/15-2mt/sec-deploy-rsa-pki.html#GUID-C3635CB0-BBC3-4CF1-9ABF-838E720E8540

Recommendations for 3rd Party Cert _______________________________________________________________

Me to TAC

"I finally got the self-signed certificate working so my existing phones can function! Thank you.  Now, can you point me in the right direction to get a GoDaddy cert installed on the router in a form that the phone will load it?  Since this is a cert issued by someone else do I need to add their root certificate and or create trustpoints per this forum?

https://supportforums.cisco.com/thread/2056655"

TAC response "In addition to the info in that forum, I’ve also referred to the following doc:

http://bytesolutions.com/Support/Knowledgebase/KB_Viewer/smid/622/ArticleID/21/reftab/195/t/Installing-GoDaddy-SSL-Certificates-on-a-Cisco-IOS-Router-using-CLI.aspx"

Hi Sean,

That a lot for your reply. I managed to get my deployment working the way I wanted. I'll be writing up a detailed blog post this weekend when I have some time but this is a quick overview of what I did.

• The GoDaddy cert is a multi domain cert allowing for 5 domains and the CSR was generated on the exchange server
• Had the exchange admin export the cert with the key
• Created a general purpose exportable rsa key on the ASA using 2048 modulus and separate label
• Imported cert from exchange server into the ASA.
• Exported ASA indentity cert including key
• Converted this cert from base64 to binary using openssl
• Generated exportable general purpose rsa key on CME using 2048 modulus
• Created trustpoint; added the cn=value of the cert in the trustpoint; specify keypair generated above
• Import the asa cert using the trustpoint created above.
• configured voice service vocie/vpn-gateway 1/ with above vpn trust
• created cnf files under telephony-services
• rebooted phones
• Test VPN on remote phone which worked!

Thanks again for your inpurt. This has been a very frustrating deployment, since I've had to basically piece together everything from different forums and documentation. Plus Cisco's documentation isn't clear at all with some of this stuff.

Again, I'll try to do up a post this weekend so that anyone else running into this problem would know how to resolve it.

Jason,

Thanks for the update.  I am hoping to have some time today to attempt this.  I was curious as to whether or not you needed to add trustpoints for GoDaddy root and subordinate CA servers?  I was told you did but from your summary above I don't see that above, so were the other documents just wrong? 

I agree this deployment has been extremely frustrating.  I look forward to your write up. 

I did add both the GoDaddy Root and Intermediate certificates to CME but these were done before while I was trying to import the cert using different techniques all of which failed. I didn't mention these since I'm not 100% sure they were needed.

The reason I say this was that when I installed the Cert on the ASA, I had also installed the GoDaddy Intermediate cert which worked fine on the ASA. When I went to configure the vpn settings under vpn-trustpoint 1 trustpoint on CME, I had to use the leaf option and not the root option. When I used the root option and tried to authenticated with my remote phones it won't work. I kept getting hte SSL Handshake failure on the ASA. After changing the config to be "vpn-trustpoint 1 trustpoint remote.domain.com leaf" it worked.

So given that it worked with the leaf option and not the root option, given that I used the Intermediate Cert on the ASA when I imported the identity cert and not the Root cert and given that the cme actually jus loads a hash of the ASA cert on the Phones, I'm thinking that the other GoDaddy Root and Intermediate certs I had already installed on CME wasn't needed. I wonder if I had used the GoDaddy Root cert when I imported the Identity cert on the ASA if I would have had to use the root option on CME rather than the leaf option when configuring the trustpoint for the phones.

I had almost given up on this solution the way I designed it and was going to move the AnyConnect users over to the old IPSec VPN client just so that I can use the configuration which worked before, by having CME act as the CA server and issue certs to the ASA. Thankfully with a lot of research, trial and error, and your response at the top, I got it working.

GL deploying yours and let me know if I can assist in any way.

Jason,

One other quick question, when you exported the Cert from the ASA, did you use PKCS12? 

Assuming so did you use

"openssl base64 -d -in -out " to convert it?  Did you import using terminal, ftp, some other method?  The reason I am asking is that I am getting an error trying to import the cert onto my test CCME router now. 

Sean

Yup! I exported the cert from the ASA using PKCS12 which included the keychain. Then I used open ssl to convert the cert the same way you have it listed above. Then I imported the cert using tftp.

I did get an error the first time I tried it, but I didn't follow the exampled I saw exactly whihc was probably why. Just ensure that you create the 2048 bit key then create the trustpoint; under trustpoint configuration, enter the subject-name value that the cert has, cn=vpn.domain.com, enter the rsakeypair command and point to thekeypair you generate (depending on IOS ver). Then exit the trustpoint configuration  mode and then import the cert using tftp and entering the password you used when you exported it from the ASA. Remember the cert you're importing is the converted copy that was generated using openssl.

Yeah that is what I am doing.  The message I am getting is below but makes me think the trustpoint for the root is needed, and mine must not be correct.  Did you have to convert the GoDaddyCert or do anything special to get that trustpoint working?  

The GoDaddyWC is the exported wildcard cert from my ASA, just FYI. 

% Warning: CA cert is not found. The imported certs might not be usable.

CRYPTO_PKI: Import PKCS12 operation failed to create trustpoint GoDaddyWC

I will try a few other things and let you know if I figure anything out. 

hmm. Which GoDaddy cert did you import into the ASA before importing the WC Identity cert?