10-22-2013 05:05 AM
Hi guys,
I've been spending a lot of time trying to install our company wildcard certificate into the ASA for use with anyconnect, but been failing misserably continuously. I've red a lot of posts, but don't really know what I am doing.
From our webserver I retrieved DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a wildcard certificate for mycompany.com.
The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on website: https://www.digicert.com/digicert-root-certificates.htm
with serial "0A5F114D035B179117D2EFD4038C3F3B".
On the ASA I've checked that I have no trustpoint present. The commands: "sh crypto ca certificates" and "sh crypto ca trustpoints" yield no output.
Okay, so lets start configuring and run into issues:
ASA(config)# crypto ca trustpoint star.mycompany.com
ASA(config-ca-trustpoint)# fqdn webvpn.mycompany.com
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# revocation-check none
ASA(config-ca-trustpoint)# exit
ASA(config)# crypto ca authenticate star.mycompany.com
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
### CONTENTS OF DigiCertCA.crt ###
-----END CERTIFICATE-----
quit
INFO: Certificate has the following attributes:
Fingerprint: c68b9930 c8578d41 6f8c094e 6adb0c90
Do you accept this certificate? [yes/no]: yes
Trustpoint 'star.mycompany.com' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
% Certificate successfully imported
ASA(config)# crypto ca import star.mycompany.com certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name in the certificate will be: webvpn.mycompany.com
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
### CONTENTS OF star.mycompany.com_cert.pem ###
-----END CERTIFICATE-----
quit
Cannot import certificate -
Certificate does not contain device's General Purpose public key
for trust point star.mycompany.com
ERROR: Failed to parse or verify imported certificate
ASA(config)#
Please help me out!! I'm no guru with certificates.
Kind regards,
Tom van Leeuwen
Solved! Go to Solution.
10-22-2013 05:42 AM
Tom,
you have to create a PKCS12 Container which includes certificate, key und CA.
I only know how to do this with linux, no idea with Windows
Michael
Please rate all helpful posts
10-22-2013 05:42 AM
Tom,
you have to create a PKCS12 Container which includes certificate, key und CA.
I only know how to do this with linux, no idea with Windows
Michael
Please rate all helpful posts
10-22-2013 06:07 AM
Luckily I'm running ubuntu and I've got it to work!
root.crt:
cat DigiCertHighAssuranceEVRootCA.pem DigiCertCA.crt > root.crt
openssl pkcs12 -export -in star.mycompany.com_cert.pem -inkey star.mycompany.com_key.pem -certfile root.crt -out bundle.p12
Enter Export Password: secret
Verifying - Enter Export Password: secret
cat bundle.p12 | base64
On the ASA:
ASA(config)# crypto ca import star.mycompany.com pkcs12 secret
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
# BASE64 OUTPUT OF bundle.p12 #
quit
% The CA cert is not self-signed.
% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully
ssl trust-point star.mycompany.com outside
Works!
Thanks!!!
10-22-2013 06:08 AM
Linux rocks
Thanks for rating
Michael
Please rate all helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide