Solved: Re: FMC "Fail to configure CA certificate"

kostasthedelegate · ‎03-31-2020

Hello,

I have FTD 2110 and anyconnect VPN.

I have to renew the certificate for the VPN.

I have successfully added the new cert in the below path

Add Certificate Enrollment στα Objects -> PKI -> Cert Enrollment.

But when go to assign the cert to the device (Devices -> Certificates) i get the below error Fail to configure CA certificate

Any ideas?

Thanks and regards,

Konstantinos

kostasthedelegate · ‎04-01-2020

The solution was to add to the certificate the whole certification path. Then it worked.
Regards,
Konstantinos

View solution in original post

Cristian Matei · ‎03-31-2020

Hi,

Most probably you have not imported the full certificate chain, including the CA and any intermidiate CA’s certificates.

Regards,

Cristian Matei.

kostasthedelegate · ‎03-31-2020

Hello Cristian,

Indeed the chain was not present.
I installed the root and intermediate in the External Certs. It did not work though it showed the same error.
I installed them in the Trusted as well, but the same.
When I did the cert enrollment the file had .pfx is that ok?

Regards,
Konstantinos

Cristian Matei · ‎03-31-2020

Convert it to PEM.

kostasthedelegate · ‎03-31-2020

And the enrollment type?

kostasthedelegate · ‎04-01-2020

The solution was to add to the certificate the whole certification path. Then it worked.
Regards,
Konstantinos

Glen Lamison · ‎04-07-2020

Hi Konstantinos,

What is the process to add to the certificate the whole certification path? I'm attempting to do the same thing but I'm still getting the "Fail to configure CA certificate" status.

Thanks,

Glen

kostasthedelegate · ‎04-07-2020

Hello Glen,

Well, I used the program xca.
I imported the three certificates (root, intermediate and the mentioned one) and the private key and exported them as one. I think it needs .p12 suffix.

Regards,
Konstantinos

Glen Lamison · ‎04-08-2020

Konstantinos,

Thank you very much. I was able to create a single pfx file with the whole chain and got it working.

Thanks again,

Glen

nick.williams5 · ‎09-22-2020

Konstantinos,

Thank you much for this solution. After a bit of struggling, this was the solution for me. For whatever reason, simply importing the root/intermediate CAs into the "Trusted CAs" objects just would not do it. I also did not have luck using the private key + CAs together using the "manual" function.
Using XCA, I imported all three certs, as well as the private key. After that I did export -> PKCS#12 chain (.p12). I then imported that cert file (with pass phrase) into the FMC and it properly imported without CA errors.

mohsen.houshyar. · ‎09-04-2022

Thank you. You solve my FMC problem. there is two PFX file type in XCA. PKCS #12 (.pfx) and PKCS #12 chain (.pfx)
I export as PKCS #12 Chain (.pfx).

atsukane · ‎12-11-2023

@mohsen.houshyar. (sorry to pick you but since you're the last person to post in this thread...)

Quick question regarding the private key part, where did you get that from? Did you generate it on XCA as well?

When enrolling a new certificate on FMC, there's a Key tab but I did not do anyting there and it's got "<default-RDA_key>".

thanks,