10-18-2023 03:31 AM
Experts,
I have another trustpoint certificate import issue, but I've checked the usual suspects mentioned in all the other posts. Any ideas?
Version 15.7(3)M8, RELEASE SOFTWARE (fc1)
Error Message:
crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate
[copy/paste]
% Failed to parse or verify imported certificate
Things I've checked:
We have an existing trustpoint with a working identify certificate being used by webvpn/AnyConnect. I used the same process/commands, but this time we are going from a single internal corporate root CA, to an internal issuing CA, so now there's a chain involved. I'm following the cisco example I've found, but same error everytime. (Configure CA Signed Certificates with IOS XE PKI - Cisco)(Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE - Cisco Community) These didn't help.
Configs and Commands:
crypto pki trustpoint ROOT-CA_TRUSTPOINT
enrollment terminal pem
revocation-check none
crypto pki authenticate ROOT-CA_TRUSTPOINT
[copy/paste]
crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
enrollment terminal pem
serial-number none
ip-address none
revocation-check none
fqdn carm-gateway.subdomain.domain.com
subject-alt-name carm-gateway.subdomain.domain.com
subject-name CN=carm-gateway.subdomain.domain.com,OU=NETWORKING,O=ORG,ST=ST,C=US
crypto pki enroll IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
crypto pki authenticate IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
[copy/paste]
crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate
[copy/paste]
% Failed to parse or verify imported certificate
Debug crypto pki show:
Oct 17 22:34:06.461: CRYPTO_PKI: make trustedCerts list for IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
Oct 17 22:34:06.461: CRYPTO_PKI: subject="cn=DSMAN-ISSUING-CA,o=ORG,st=ST,c=US" serial number= XX F8 BB 1D 24 24 17 CB 52 1E 46 32 XX XX XX E9
Oct 17 22:34:06.465: PKI:get_cert IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT 0x10 (expired=0):
Oct 17 22:34:06.473: CRYPTO_PKI: Deleting cached key having key id 10
Oct 17 22:34:06.473: CRYPTO_PKI: Attempting to insert the peer's public key into cache
Oct 17 22:34:06.473: CRYPTO_PKI:Peer's public inserted successfully with key id 11
Oct 17 22:34:06.481: CRYPTO_PKI: Expiring peer's cached key with key id 11
Oct 17 22:34:06.485: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(2819) : E_NOT_VALIDATED : validation process failed (reason: 9)
Oct 17 22:34:06.485: CRYPTO_PKI: status = 0x751(E_NOT_VALIDATED : validation process failed (reason: %n0)): failed to verify or insert the cert into storage
Doesn't it look like the router thinks the cert is expired? I checked the dates in the certs, they are correct.
I also tried adding the chain verification command to the intermediate/ident trustpoint just in case:
crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
chain-validation continue ROOT-CA_TRUSTPOINT
And I tired having it stop and just accept from intermediate with no root:
crypto pki trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
chain-validation stop
Before I throw the router off a bridge, can anyone provide correction or advise?
CARM-GATEWAY#show crypto key mypubkey all
% Key pair was generated at: 10:00:01 EDT Oct 23 2020
Key name: CARM-GATEWAY.subdomain.domain.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
KEY NUMBERS
4B020301 0001
% Key pair was generated at: 20:44:47 EDT Jun 30 2023
Key name: CARM-GATEWAY.subdomain.domain.com.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
KEY NUMBERS
7425990A 960BBFD1 378C40CC 871EB355 AE37B7C1 FE02F9C0 97020301 0001
CARM-GATEWAY#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): SERIAL ending E8
Certificate Usage: Signature
Issuer:
cn=ROOT CA
o=ORG
st=ST
c=US
Subject:
cn=ROOT CA
o=ORG
st=ST
c=US
Validity Date:
start date: 16:58:08 EDT Jul 10 2023
end date: 15:58:08 EST Jul 3 2048
Associated Trustpoints: ROOT-CA_TRUSTPOINT
CA Certificate
Status: Available
Certificate Serial Number (hex): SERIAL ending E9
Certificate Usage: Signature
Issuer:
cn=ROOT CA
o=ORG
st=ST
c=US
Subject:
cn=DSMAN-ISSUING-CA
o=ORG
st=ST
c=US
CRL Distribution Points:
http://pki.domain.com/pki/root-ca.crl
Validity Date:
start date: 17:32:35 EDT Jul 10 2023
end date: 16:32:35 EST Jul 3 2048
Associated Trustpoints: IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
They sure don't look expired, no wrong date bug from old days...
10-18-2023 05:38 AM - edited 10-18-2023 05:40 AM
crypto pki authenticate IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT [copy/paste] crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate [copy/paste]
% Failed to parse or verify imported certificate
you may need to add a "quit" between the first pasted data and the second crypto pki command
if the copied data contains lines with ----- begin/end certificate -----, you need to remove those lines
10-19-2023 03:37 AM
@pieterh wrote:crypto pki authenticate IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT [copy/paste] crypto pki import IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT certificate [copy/paste]% Failed to parse or verify imported certificateyou may need to add a "quit" between the first pasted data and the second crypto pki command
if the copied data contains lines with ----- begin/end certificate -----, you need to remove those lines
I didn't specify in the post, I was doing each step one by one. I was using 'quit' on the next line instead of a blank line.
I was keeping the cert begin/end header/footer when copying in, so I changed that this time, got some new results, but still failed.
1. Removed all trustpoints and created root, then intermediate.
2. I pasted in auth certs without header/footer.
This time, after creating the CSR on the intermediate trustpoint, the intermediate trustpoint would not authenticate.
Oct 19 10:17:08.172: CRYPTO_PKI: unlocked trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT, refcount is 0
Oct 19 10:17:08.188: CRYPTO_PKI: crypto_pki_authenticate_tp_cert()
Oct 19 10:17:08.188: CRYPTO_PKI: trustpoint IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT authentication status = 0
Oct 19 10:17:08.192: CRYPTO_PKI: (74608) Session started - identity not specified
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Check for identical certs
Oct 19 10:17:08.196: CRYPTO_PKI : (74608) Validating non-trusted cert
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Create a list of suitable trustpoints
Oct 19 10:17:08.196: CRYPTO_PKI: Found a issuer match
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Suitable trustpoints are: ROOT-CA_TRUSTPOINT,
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Attempting to validate certificate using ROOT-CA_TRUSTPOINT policy
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Using ROOT-CA_TRUSTPOINT to validate certificate
Oct 19 10:17:08.196: CRYPTO_PKI: Added 1 certs to trusted chain.
Oct 19 10:17:08.196: CRYPTO_PKI: Prepare session revocation service providers
Oct 19 10:17:08.196: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(2819) : E_NOT_VALIDATED : validation process failed (reason: 9)
CARM-GATEWAY(config)#
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Certificate is not verified
Oct 19 10:17:08.196: CRYPTO_PKI: Remove session revocation service providers
Oct 19 10:17:08.196: CRYPTO_PKI: Remove session revocation service providers
Oct 19 10:17:08.196: CRYPTO_PKI: (74608) Certificate not validated
Oct 19 10:17:08.196: CRYPTO_PKI: Rcvd request to end PKI session 74608.
Oct 19 10:17:08.196: CRYPTO_PKI: PKI session 74608 has ended. Freeing all resources.
Oct 19 10:17:08.196: CRYPTO_PKI: status = 65535: failed to insert CA cert
So next, I removed the root ca trustpoint, and set the intermediate to: chain-validation stop
I was able to authenticate the trustpoint now, but then importing the identity cert, it failed with:
Oct 19 10:24:11.277: CRYPTO_PKI: make trustedCerts list for IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT
Oct 19 10:24:11.281: CRYPTO_PKI: subject="cn=DSMAN-ISSUING-CA,o=ORG,st=ST,c=US" serial number= 0B F8 BB 1D XXXX 4F E9
Oct 19 10:24:11.281: PKI:get_cert IDENTITY_DSMAN-ISSUING-CA_TRUSTPOINT 0x10 (expired=0):
Oct 19 10:24:11.289: CRYPTO_PKI: Deleting cached key having key id 14
Oct 19 10:24:11.289: CRYPTO_PKI: Attempting to insert the peer's public key into cache
Oct 19 10:24:11.289: CRYPTO_PKI:Peer's public inserted successfully with key id 15
CARM-GATEWAY(config)#
Oct 19 10:24:11.297: CRYPTO_PKI: Expiring peer's cached key with key id 15
Oct 19 10:24:11.301: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(2819) : E_NOT_VALIDATED : validation process failed (reason: 9)
Oct 19 10:24:11.301: CRYPTO_PKI: status = 0x751(E_NOT_VALIDATED : validation process failed (reason: %n0)): failed to verify or insert the cert into storage
So, we're back to it inserting something, then immediately expiring something. I guess I'll sit and wait a day and see if it's part of a date bug I'm not tracking.
This seems like it shouldn't be this hard. All the other root and intermediate certs are working and validating correctly with many other internal services, so I don't think one of the CA's is jacked up.
10-19-2023 03:45 AM
Now I'm wondering if this is related to:
Certificate Validation on CUBE when installing CA signed and Trust certificates - Cisco Community
I have IP contraint, not domain name, but maybe it's the whole constraint validation that Cisco can't do.
10-19-2023 03:46 AM
This certificate of new CA ?
10-19-2023 04:56 AM
Yes, It is a new root CA compared to the existing one used in the router from years ago.
03-06-2025 08:10 PM
Had the same issue then I figured out I swapped my ROOT and intermediate certificate on the crypto pki authenticate commands.
Removed the ROOT and intermediate certificates, imported them again by swapping them and server cert got imported successful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide