I have a wildcard SSL certificate for our domain from RapidSSL. I installed the intermediary certificates fine but I can't get the acutal cert to install. I get the message "Can't Upload Invalid Self Certificate" message. Has anyone else ever successfully used a wildcard cert with an SA?
I also had a big problem with a regular ssl certificate from rapidssl. I opend a case with cisco and after 3 weeks of the most horrible support i have ever experienced i gave up. I bought a new certificate from godaddy and that workd right away.
I pointed out to my cisco tech that there is most likely a bugg in the fw since i tried 3 different providers, geotrust, globalsign and rapidssl all of them did not work. I bet they did not even try to solve my case.
Here is a link to another post about this issue.
Hello Mr. Williamson,
In order to get a new SSL certificate please follow the next instructions:
STEP 1 : Click Administration > Authentication.
The Authentication (Certificates) window opens.
STEP 2 For each type of certificate, perform the following actions, as needed:
• To add a certificate, click Upload. You can upload the certificate from the PC
or the USB device. Click Browse, find and select the certificate, and then
• To delete a certificate, check the box to select the certificate, and then click
• To download the router’s certificate (.pem file), click the Download button
under the Download Settings area.
STEP 3 To request a certificate from the CA, click Generate CSR.
The Generate Certification Signing Request window opens.
a. Enter the distinguished name information in the Generate Self Certificate
• Name: Unique name used to identify a certificate.
• Subject: Name of the certificate holder (owner). The subject field populates
the CN (Common Name) entry of the generated certificate and can contain
- CN=Common Name
- OU=Organizational unit
- L= Locality
- ST= State
For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US
Whatever name you choose will appear in the subject line of the generated
CSR. To include more than one subject field, enter each subject separated
by a comma. For example: CN=hostname.domain.com, ST=CA, C=USA
• Hash Algorithm: Algorithm used by the certificate. Choose between MD5
• Signature Algorithm: Algorithm (RSA) used to sign the certificate.
• Signature Key Length: Length of the signature, either 512 or 1024.
• (Optional) IP Address, Domain Name, and Email Address
b. Click Generate.
A new certificate request is created and added to the Certification Signing
Request (CSR) table. To view the request, click the View button next to the
certificate you just created.
Or you could check it on the next link. please check page 191
hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
There are two problem here.
1) There is a bug in your firmware that prevent the upload of some certificates from public ca's. You can read about it in my previous post and link. However it seems cisco has fixed it in the new fw for the rw220, i have seen it was adressed in the release notes but i have not tried it since i already got myself an working ssl cert from godaddy. Most likely your firmware has not the included fixes.
2) Your firmware can't handle more than 1024 bits encryption. Since NON of the major CA will sign anything lower than 2048 bits you will have litle to any luck to get your csr request signed. The 1024bits is consider weak and therefor since the start of 2012 all big CA's will only supply 2048 bits signing.
So basicly even if you managed to find a CA that "could" work with the bug in the fw from #1 you will most likely never get an 1024 bits encryption since it's not supported any more. Sorry to say it but basicly you are screwed until cisco managed to fix the firmware to include the bug fix and support of 2048 bits encryption.
If you need an public ssl certificate i would change my firewall straight away unless cisco staff can give you an e.t.a on a working firmware. The change to 2048bits was made around January. Now one would think that cisco would provide the 2048bits support Before all major CA's stoped the 1024bits signig. I bet most off the support staff don't even know this. It's easy to point one to a Faq or support doc but without even knowing that it wont work in your case. Most likely they have not even tried doing a public ca request, since then they would know this.