Failed to parse or verify imported certificate

corycandia · ‎10-18-2023

Experts,

I have another trustpoint certificate import issue, but I've checked the usual suspects mentioned in all the other posts. Any ideas?

Version 15.7(3)M8, RELEASE SOFTWARE (fc1)

Error Message:

crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate
[copy/paste]
% Failed to parse or verify imported certificate

Things I've checked:

NTP setup / show clock has right time
Existing RSA key
router hostname and ip domain set

We have an existing trustpoint with a working identify certificate being used by webvpn/AnyConnect. I used the same process/commands, but this time we are going from a single internal corporate root CA, to an internal issuing CA, so now there's a chain involved. I'm following the cisco example I've found, but same error everytime. (Configure CA Signed Certificates with IOS XE PKI - Cisco)(Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE - Cisco Community) These didn't help.

Configs and Commands:

crypto pki trustpoint ROOT-CA_TRUSTPOINT
enrollment terminal pem
revocation-check none

crypto pki authenticate ROOT-CA_TRUSTPOINT
[copy/paste]

crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
enrollment terminal pem
serial-number none
ip-address none
revocation-check none
fqdn carm-gateway.subdomain.domain.com
subject-alt-name carm-gateway.subdomain.domain.com
subject-name CN=carm-gateway.subdomain.domain.com,OU=NETWORKING,O=ORG,ST=ST,C=US

crypto pki enroll IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT

crypto pki authenticate IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
[copy/paste]

crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate
[copy/paste]

% Failed to parse or verify imported certificate

Debug crypto pki show:

Oct 17 22:34:06.461: CRYPTO_PKI: make trustedCerts list for IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
Oct 17 22:34:06.461: CRYPTO_PKI: subject="cn=DSMAN-ISSUING-CA,o=ORG,st=ST,c=US" serial number= XX F8 BB 1D 24 24 17 CB 52 1E 46 32 XX XX XX E9
 
Oct 17 22:34:06.465: PKI:get_cert IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT 0x10 (expired=0):
Oct 17 22:34:06.473:  CRYPTO_PKI: Deleting cached key having key id 10
Oct 17 22:34:06.473:  CRYPTO_PKI: Attempting to insert the peer's public key into cache
Oct 17 22:34:06.473:  CRYPTO_PKI:Peer's public inserted successfully with key id 11

Oct 17 22:34:06.481:  CRYPTO_PKI: Expiring peer's cached key with key id 11
Oct 17 22:34:06.485: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(2819) : E_NOT_VALIDATED : validation process failed (reason: 9)
Oct 17 22:34:06.485: CRYPTO_PKI: status = 0x751(E_NOT_VALIDATED : validation process failed (reason: %n0)): failed to verify or insert the cert into storage

Doesn't it look like the router thinks the cert is expired? I checked the dates in the certs, they are correct.

I also tried adding the chain verification command to the intermediate/ident trustpoint just in case:

crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
chain-validation continue ROOT-CA_TRUSTPOINT

And I tired having it stop and just accept from intermediate with no root:

crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
chain-validation stop

Before I throw the router off a bridge, can anyone provide correction or advise?

CARM-GATEWAY#show crypto key mypubkey all
% Key pair was generated at: 10:00:01 EDT Oct 23 2020
Key name: CARM-GATEWAY.subdomain.domain.com
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  KEY NUMBERS
  4B020301 0001
% Key pair was generated at: 20:44:47 EDT Jun 30 2023
Key name: CARM-GATEWAY.subdomain.domain.com.server
Key type: RSA KEYS
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  KEY NUMBERS
  7425990A 960BBFD1 378C40CC 871EB355 AE37B7C1 FE02F9C0 97020301 0001

CARM-GATEWAY#show crypto pki certificates
CA Certificate
  Status: Available
  Certificate Serial Number (hex): SERIAL ending E8
  Certificate Usage: Signature
  Issuer:
    cn=ROOT CA
    o=ORG
    st=ST
    c=US
  Subject:
    cn=ROOT CA
    o=ORG
    st=ST
    c=US
  Validity Date:
    start date: 16:58:08 EDT Jul 10 2023
    end   date: 15:58:08 EST Jul 3 2048
  Associated Trustpoints: ROOT-CA_TRUSTPOINT

CA Certificate
  Status: Available
  Certificate Serial Number (hex): SERIAL ending E9
  Certificate Usage: Signature
  Issuer:
    cn=ROOT CA
    o=ORG
    st=ST
    c=US
  Subject:
    cn=DSMAN-ISSUING-CA
    o=ORG
    st=ST
    c=US
  CRL Distribution Points:
    http://pki.domain.com/pki/root-ca.crl
  Validity Date:
    start date: 17:32:35 EDT Jul 10 2023
    end   date: 16:32:35 EST Jul 3 2048
  Associated Trustpoints: IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT

They sure don't look expired, no wrong date bug from old days...

pieterh · ‎10-18-2023

crypto pki authenticate IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
[copy/paste]

crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate
[copy/paste]

% Failed to parse or verify imported certificate

you may need to add a "quit" between the first pasted data and the second crypto pki command
if the copied data contains lines with ----- begin/end certificate -----, you need to remove those lines

corycandia · ‎10-19-2023

@pieterh wrote:
crypto pki authenticate IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
[copy/paste]

crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate
[copy/paste]
% Failed to parse or verify imported certificate
you may need to add a "quit" between the first pasted data and the second crypto pki command
if the copied data contains lines with ----- begin/end certificate -----, you need to remove those lines

I didn't specify in the post, I was doing each step one by one. I was using 'quit' on the next line instead of a blank line.

I was keeping the cert begin/end header/footer when copying in, so I changed that this time, got some new results, but still failed.

1. Removed all trustpoints and created root, then intermediate.

2. I pasted in auth certs without header/footer.

This time, after creating the CSR on the intermediate trustpoint, the intermediate trustpoint would not authenticate.

Oct 19 10:17:08.172: CRYPTO_PKI: unlocked trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT, refcount is 0
Oct 19 10:17:08.188: CRYPTO_PKI: crypto_pki_authenticate_tp_cert()
Oct 19 10:17:08.188: CRYPTO_PKI: trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT authentication status = 0
Oct 19 10:17:08.192: CRYPTO_PKI: (74608) Session started - identity not specified
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Check for identical certs
Oct 19 10:17:08.196: CRYPTO_PKI : (74608) Validating non-trusted cert
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Create a list of suitable trustpoints
Oct 19 10:17:08.196: CRYPTO_PKI: Found a issuer match
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Suitable trustpoints are: ROOT-CA_TRUSTPOINT,
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Attempting to validate certificate using ROOT-CA_TRUSTPOINT policy
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Using ROOT-CA_TRUSTPOINT to validate certificate
Oct 19 10:17:08.196: CRYPTO_PKI: Added 1 certs to trusted chain.
Oct 19 10:17:08.196: CRYPTO_PKI: Prepare session revocation service providers
Oct 19 10:17:08.196: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(2819) : E_NOT_VALIDATED : validation process failed (reason: 9)
CARM-GATEWAY(config)#
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Certificate is not verified
Oct 19 10:17:08.196: CRYPTO_PKI: Remove session revocation service providers
Oct 19 10:17:08.196: CRYPTO_PKI: Remove session revocation service providers
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Certificate not validated
Oct 19 10:17:08.196: CRYPTO_PKI: Rcvd request to end PKI session 74608.
Oct 19 10:17:08.196: CRYPTO_PKI: PKI session 74608 has ended. Freeing all resources.
Oct 19 10:17:08.196: CRYPTO_PKI: status = 65535: failed to insert CA cert

So next, I removed the root ca trustpoint, and set the intermediate to: chain-validation stop

I was able to authenticate the trustpoint now, but then importing the identity cert, it failed with:

Oct 19 10:24:11.277: CRYPTO_PKI: make trustedCerts list for IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
Oct 19 10:24:11.281: CRYPTO_PKI: subject="cn=DSMAN-ISSUING-CA,o=ORG,st=ST,c=US" serial number= 0B F8 BB 1D XXXX 4F E9
Oct 19 10:24:11.281: PKI:get_cert IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT 0x10 (expired=0):
Oct 19 10:24:11.289:  CRYPTO_PKI: Deleting cached key having key id 14
Oct 19 10:24:11.289:  CRYPTO_PKI: Attempting to insert the peer's public key into cache
Oct 19 10:24:11.289:  CRYPTO_PKI:Peer's public inserted successfully with key id 15
CARM-GATEWAY(config)#
Oct 19 10:24:11.297:  CRYPTO_PKI: Expiring peer's cached key with key id 15
Oct 19 10:24:11.301: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(2819) : E_NOT_VALIDATED : validation process failed (reason: 9)
Oct 19 10:24:11.301: CRYPTO_PKI: status = 0x751(E_NOT_VALIDATED : validation process failed (reason: %n0)): failed to verify or insert the cert into storage

So, we're back to it inserting something, then immediately expiring something. I guess I'll sit and wait a day and see if it's part of a date bug I'm not tracking.

This seems like it shouldn't be this hard. All the other root and intermediate certs are working and validating correctly with many other internal services, so I don't think one of the CA's is jacked up.

corycandia · ‎10-19-2023

Now I'm wondering if this is related to:

Certificate Validation on CUBE when installing CA signed and Trust certificates - Cisco Community

I have IP contraint, not domain name, but maybe it's the whole constraint validation that Cisco can't do.

MHM Cisco World · ‎10-19-2023

This certificate of new CA ?

corycandia · ‎10-19-2023

Yes, It is a new root CA compared to the existing one used in the router from years ago.

Hermanus Janse van Vuuren · ‎03-06-2025

Had the same issue then I figured out I swapped my ROOT and intermediate certificate on the crypto pki authenticate commands.

Removed the ROOT and intermediate certificates, imported them again by swapping them and server cert got imported successful.

Best Regards