Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
0
Helpful
0
Replies

Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance

jer0nim0x
Level 1
Level 1

‎08-07-2013 05:29 AM - edited ‎03-11-2019 07:22 PM

Hi,

basically I am trying to achieve what's documented in

http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704

(using ASDM: "crypto ca import" = Remote Access VPN -> Certificate Management ->  Code Signer -> Import)

I give it a complete PKCS12 bundle (unencrypted private key + certificates up to the root CA) to the ASA.

I can indeed verify that it has been imported correctly by exporting it again:

  crypto ca export CodeSignerBundle pkcs12 1234

It shows me the private key and all the certificates.

However, the jars used in WebVPN, while carrying the correct certificate, don't have a full certification chain at their disposal:

Using jarsigner -verify I see on a random file from the jar:

sm       905 Fri Nov 30 00:00:00 CET 1979 Java/lang/CpUtf8.class

      X.509, CN=COMMONNAME, O=ORGANIZATION, L=LOCATION, ST=STATE, C=COUNTRY

      [certificate is valid from 8/1/13 4:30 PM to 8/1/16 4:30 PM]

      X.509, CN=LuxTrust Qualified CA, O=LuxTrust S.A., C=LU

      [certificate is valid from 6/5/08 11:25 AM to 10/18/16 12:40 PM]

      [CertPath not validated: Path does not chain with any of the trust anchors]

Indeed the certificate file inside the jar (META-INF/.....RSA) does not contain what I uploaded to the ASA. One of the intermediary certificates is missing (while another certificate is listed twice).

What could be the problem here? (ASA v8.2(5))

Thanks for any help,

Marki

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card