Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Failed to parse or verify imported certificate

corycandia
Level 1
Level 1

‎10-18-2023 03:31 AM

Experts,

I have another trustpoint certificate import issue, but I've checked the usual suspects mentioned in all the other posts.  Any ideas?

 

Version 15.7(3)M8, RELEASE SOFTWARE (fc1)

Error Message:

crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate
[copy/paste]
% Failed to parse or verify imported certificate

Things I've checked:

  • NTP setup / show clock has right time
  • Existing RSA key
  • router hostname and ip domain set

We have an existing trustpoint with a working identify certificate being used by webvpn/AnyConnect.  I used the same process/commands, but this time we are going from a single internal corporate root CA, to an internal issuing CA, so now there's a chain involved.  I'm following the cisco example I've found, but same error everytime. (Configure CA Signed Certificates with IOS XE PKI - Cisco)(Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE - Cisco Community) These didn't help.

 

Configs and Commands:

crypto pki trustpoint ROOT-CA_TRUSTPOINT
enrollment terminal pem
revocation-check none

crypto pki authenticate ROOT-CA_TRUSTPOINT
[copy/paste]

crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
enrollment terminal pem
serial-number none
ip-address none
revocation-check none
fqdn carm-gateway.subdomain.domain.com
subject-alt-name carm-gateway.subdomain.domain.com
subject-name CN=carm-gateway.subdomain.domain.com,OU=NETWORKING,O=ORG,ST=ST,C=US

crypto pki enroll IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT

crypto pki authenticate IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
[copy/paste]

crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate
[copy/paste]
% Failed to parse or verify imported certificate

Debug crypto pki show:

Oct 17 22:34:06.461: CRYPTO_PKI: make trustedCerts list for IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
Oct 17 22:34:06.461: CRYPTO_PKI: subject="cn=DSMAN-ISSUING-CA,o=ORG,st=ST,c=US" serial number= XX F8 BB 1D 24 24 17 CB 52 1E 46 32 XX XX XX E9
 
Oct 17 22:34:06.465: PKI:get_cert IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT 0x10 (expired=0):
Oct 17 22:34:06.473:  CRYPTO_PKI: Deleting cached key having key id 10
Oct 17 22:34:06.473:  CRYPTO_PKI: Attempting to insert the peer's public key into cache
Oct 17 22:34:06.473:  CRYPTO_PKI:Peer's public inserted successfully with key id 11

Oct 17 22:34:06.481:  CRYPTO_PKI: Expiring peer's cached key with key id 11
Oct 17 22:34:06.485: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(2819) : E_NOT_VALIDATED : validation process failed (reason: 9)
Oct 17 22:34:06.485: CRYPTO_PKI: status = 0x751(E_NOT_VALIDATED : validation process failed (reason: %n0)): failed to verify or insert the cert into storage

Doesn't it look like the router thinks the cert is expired?  I checked the dates in the certs, they are correct.

I also tried adding the chain verification command to the intermediate/ident trustpoint just in case:

crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
chain-validation continue ROOT-CA_TRUSTPOINT

And I tired having it stop and just accept from intermediate with no root:

crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
chain-validation stop

Before I throw the router off a bridge, can anyone provide correction or advise?

 

CARM-GATEWAY#show crypto key mypubkey all
% Key pair was generated at: 10:00:01 EDT Oct 23 2020
Key name: CARM-GATEWAY.subdomain.domain.com
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  KEY NUMBERS
  4B020301 0001
% Key pair was generated at: 20:44:47 EDT Jun 30 2023
Key name: CARM-GATEWAY.subdomain.domain.com.server
Key type: RSA KEYS
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  KEY NUMBERS
  7425990A 960BBFD1 378C40CC 871EB355 AE37B7C1 FE02F9C0 97020301 0001
CARM-GATEWAY#show crypto pki certificates
CA Certificate
  Status: Available
  Certificate Serial Number (hex): SERIAL ending E8
  Certificate Usage: Signature
  Issuer:
    cn=ROOT CA
    o=ORG
    st=ST
    c=US
  Subject:
    cn=ROOT CA
    o=ORG
    st=ST
    c=US
  Validity Date:
    start date: 16:58:08 EDT Jul 10 2023
    end   date: 15:58:08 EST Jul 3 2048
  Associated Trustpoints: ROOT-CA_TRUSTPOINT

CA Certificate
  Status: Available
  Certificate Serial Number (hex): SERIAL ending E9
  Certificate Usage: Signature
  Issuer:
    cn=ROOT CA
    o=ORG
    st=ST
    c=US
  Subject:
    cn=DSMAN-ISSUING-CA
    o=ORG
    st=ST
    c=US
  CRL Distribution Points:
    http://pki.domain.com/pki/root-ca.crl
  Validity Date:
    start date: 17:32:35 EDT Jul 10 2023
    end   date: 16:32:35 EST Jul 3 2048
  Associated Trustpoints: IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT

They sure don't look expired, no wrong date bug from old days...

 

 

2 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic