ASA 5505 CSR problem

andrewswanson · ‎10-28-2008

hello

i'm trying to generate a csr on an ASA 5505 (ASDM 6.1(1) ASA v8.0(3)) for our new SSL VPN service. i followed the documentation at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml and submitted the csr to our 3rd party vendor Globalsign.

a few days later the request was rejected due "to the inclusion of an unstructuredName element within the subject of the CSR."

when i generate the csr (either from cli or asdm), the resultant csr contains

unstructuredName=IA5STRING:<my_fqdn>

where my_fqdn is the name i used in the CN field.

i tried generating a csr for the asa with openssl and submitted that to globalsign which was successful but get the error "Certificate does not contain general purpose public key" when i try to install it.

any ideas or pointers appreciated.

thanks

andy

andrewswanson · ‎10-29-2008

got this working - i was half way there. when the original csr (from the asa) was rejected by globalsign i generated a csr using openssl:

openSSL>req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

when i received the cert from globalsign i combined it with my key:

openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts -passin pass: -passout pass:

then went to ASA and Configuration->Device Management->Certificate Management->Identity Certificates. selected Add and 'import identity certificate form file' - used output file from last openssl statement with password and cert imported ok