cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11225
Views
0
Helpful
11
Replies

ASA SSLVPN certifiacte chain install problem

horvaia
Level 1
Level 1

Hello,

I have the following problem:

I ordered a certificate from Geotrust. Geotrust signed my certificate with an intermediate certificate. The problem that

ASA needs the Geotrust global ceritificate to be installed to accept my device certificate (intermediate certificate needs to be

authenticated as well). When I install my device certificate on the firewall I got this error:

"ERROR: Failed to parse or verify imported ceritificate"

I do not know the way how to add two authentication certificate on ASA.

I need similar solution like this:

https://supportforums.cisco.com/docs/DOC-15367

So the question how to arrange the installed certificates into chain on Cisco ASA.

My firewall frimware/type is:

Cisco Adaptive Security Appliance Software Version 8.3(2)

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Please help, I am out of ideas.

Andras

11 Replies 11

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Andras,

configure 2 trustpoints, import the root into one, and import the intermediate & identity certs into the other.

If this doesn't work please tell us what error message you get at which step.

hth

Herbert

Hi Herebert,

First of all thank you for your answer. What you wrote is what I tried but with no luck. I got the same error message:

"ERROR: Failed to parse or verify imported ceritificate" as before. The error message came when I tried to add the identity cert to the device.

Andras

Which command are you using to import the identity cert ? "crypto ca import ..." ?

What format is the cert in?

command I use to import the identity cert: crypto ca import TRUSTPOINT_NAME certificate

the cert is in base64 format.

(chars between

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

)

the error is:

ERROR: Failed to parse or verify imported certificate

I got this note before importing: (but this should not be the problem)

WARNING: The certificate enrollment is configured with an fqdn

that differs from the system fqdn. If this certificate will be

used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

Are you including the BEGIN and END lines? Please do.

If that does not help, enable "debug crypto ca ..." (all of it) and try again.

Could you post the certificate (or send it to me in a private message if you prefer)?

Herbert

Hi,

Yes, I include the BEGIN and the END statements.

here is the output of the debug:

ERROR: Failed to parse or verify imported certificate

FW01/act(config)#

Read 1172 bytes as CA certificate:0‚0‚x

CRYPTO_PKI(make trustedCerts list)

CRYPTO_PKI: Failed to verify the ID certificate using the CA certificate in trustpoint my.geotrust.tp.

CERT-C: E ../cert-c/source/p7contnt.c(167) : Error #703h

crypto_certc_pkcs7_extract_certs_and_crls failed (1795):

crypto_certc_pkcs7_extract_certs_and_crls failed

CRYPTO_PKI: status = 1795: failed to verify or insert the cert into storage

the debug commands:

FW01/act# show debug crypto ca

debug crypto ca enabled at level 255

FW01/act# show debug crypto ca messages

debug crypto ca messages enabled at level 255

FW01/act# show debug crypto ca server

debug crypto ca server enabled at level 255

FW01/act# show debug crypto ca transactions

debug crypto ca transactions enabled at level 255

I need to get permission to send you the id certificate.

ok, I'd really like to have a look at the cert itself. Note that I'm only asking for the certificate (which is "public", after all the ASA will send it to anyone trying to connect to it), not the private key.

yes you are right, I sent you the cert to your private account.

Thanks, I've done a quick test trying to generate a new cert in my lab, with the same Subject as yours, and my ASA complains that it is not in X.500 format.

The problem seems to be the empty ST field. If I change "ST=," to "ST=XX," then it works fine.

So you'll have to ask Geotrust to issue you a new cert without the ST field, or with the ST field set to some value.

hth

Herbert

Herbert,

thanks for the update and hopefully for the solution. I will go back to Geotrust and ask them to do what

you mentioned to do and if  it works for me also I will click "correct answer" and rate your solution.

thanks again,

Andras

randavil
Level 1
Level 1

Hello,

It seems like you are trying to “import” the Root CA certificate, but you cannot import that certificate, you need to "authenticate" it, please use this command instead,

               crypto ca authenticate (name of trustpoint)

I suggest that you use a new trustpoint, it is possible that you have delete the intermediate and ID certificate and reinstall them in the following order,

                Root Cert > Intermediate Cert > ID Cert

Please let me know if you have further questions

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: