cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

5430
Views
5
Helpful
17
Replies
afgoldberg1
Beginner

SA520W: difficulty getting self certificate request signed by trusted 3rd party

Please forgive me if this is a dumb question or if I am fundamentally confused, but I have pored over the manual, forum, and web.  Very simply I need a trusted third party to sign my CSR and then for the SA520W to accept it as the active self certificate.  In principle this is straightforward but I cannot figure out how to make this work in practice.  Two examples.

1) GoDaddy:  they require a 2048 bit signature and the router only generates 1024.  I can generate my own CSR with OpenSSL but then am unable to upload my 2048 bit key to the router, and thus the signed certificate is not accepted

2)  Verisign.  They will take the router's 1024 bit signature, but they require lots of fields in the CSR, like country and state, that are not supported by the router's generate CSR function.  Thus Verisign will not accept the CSR.

Is there any way to get the router to accept a CSR signed by GoDaddy?  Or any CA?

Thanks in advance.

Andy

17 REPLIES 17

Andrew,

Thanks for the followup.

I should be very specific - the issue was entirely related to GeoTrust certs as far as I could tell. I am sure from many other reports that GoDaddy and other cert providers would have worked, but a mass move of CA would have cost more than replacing the device.

So, just to be really clear for anyone reading, it's not that the device doesn't work - just that we never managed to get GeoTrust certs to work.

Best wishes,

Ben.

Hi i would like to add my 2 cents from my Certification nightmare.

I have created an csr request 2048 bits end sent to a public CA. After i recived my cert from AlphaSSL i first uploaded Globalsign root cert and the cert from alphassl. Both are accepted by my RV220. After this i try to upload my certificate but im not avalible to, invalid certificate error.

Now i have read the admin guide and generated different request's 5 times, with differnet subject names to include city, state etc spot on from the manual. Nothing works... My ssl provider is probably wondering what im doing.....

I have already open a case at cisco, but after 2 weeks my problem is still unresolved. Im almost convinsed there is something wrong with how the device handles certificates.

So until my case is resolved i can conclude that alphassl that uses globalsign root does not work.I registerd for an free 30 day ssl test certificate from RapidSSL that did not work eighter. Also from Ben's post GeoTrust does not work eighter. So why the ***** does not the manual or something states this providers works, this provider does not or something like that. Or hey why don't cisco TEST the damn feature!!!

I have now spent 200$ on a certificate that does not work and also notice others have the same error WOW...

Can someone confirm that godaddy works and what kind of certificate you bought?

SSL Providers that does not work:

Geotrus, Globalsing, Rapidssl

Having an "working" option to the user to use and public ssl certificate is essential on a SSL VPN Firewall.

Hi Steven,

In my implementation, I need to establish an IPSec L2L tunnel between SA520 and ASA with PKI.

However, SA520 doesn't accept the certificate which was signed by a trusted standalone CA server (Microsoft CA on Windows Server 2003). This certificate was generated in the format of IPSec template. When I try to activate the certificate on SA520, it notifies me as: "Invalid purpose, Can't upload self-signed certificate". Could you please help me?

If the CA generates certificate in the format of WebServer template, the SA520 can import successfully, however it's not the case for IPSec template. Is it a bug?

SA520's firmware is 2.1.51.

Regards,

Tuan