Solved: As noted in step 5 of the

eigrpy · ‎08-07-2015

Hi In a new ASA, I am trying to install certificate. But when I paste certificate data, I got an error message. Please see screenshot in attachment. Anyone can me some suggestion ? Thank you.

Marvin Rhoads · ‎08-11-2015

As noted in step 5 of the Cisco procedure, you save the CSR to a text file.

That text file needs to be sent to your CA.

For a public CA, it is either via a web portal (most common) or via email.

If it's your own internal CA, and you administer it, you might just copy the text onto the CA server's certificate issuing tool.

View solution in original post

Marvin Rhoads · ‎08-07-2015

What's the source of the certificate?

Do you have the private key used to generate the Certificate Signing Request (CSR) present on the ASA? Since you are using the Install method, you must have a pending CSR.

eigrpy · ‎08-07-2015

Thank you so much for your reply. I am doing it based on the link:

http://www.petenetlive.com/KB/Article/0000694.htm

The document does not mention private key. I am just doing it step by step based on the link. It looks like the process created the CSR.

Marvin Rhoads · ‎08-07-2015

The key mentioned early in Pete's posting is the private key I asked about.

Who is the CA you are using? Did you install the root and intermediate certificates like Pete noted? Can you open the certificate file in Windows and see that it is a valid certificate?

eigrpy · ‎08-11-2015

I am sorry for the late reply due to other issues.
Here is the process:

Configuration > Device Management > Identity Certificates > Add > Add a new identity certificate > New > Enter new key pair name field, and click Generate Now > > Enter new key pair name field, and click Generate Now

To install the certificate:

a. Select the pending certificate request under Configuration > Device Management > Identity Certificates > Install.

b. In the Install Identity Certificate window, select the Paste the certificate data in base-64 format > Install Certificate.

The certificate data that i pasted is from the key that I created above, but I still get the error message(please see the screenshot in last reply)

The Cisco document also discuss about the issue:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html

I think I might lose the step 7. In the process to install certificate, I do not find "Submit the certificate request". So How can I submit the request ?

7, Submit the certificate request to the certificate administrator, who issues the certificate on the server. This can either be through a web interface, e-mail, or directly to the root CA server for certificate issue process.

Marvin Rhoads · ‎08-11-2015

It sounds like you are mixing up procedures for a self-signed certificate and a CA-signed certificate.

If you are using an external CA then you follow the procedures in the guides you cited. they are both for external CA certificate request and install. Inherent in that process is generating of the Certificate Signing Request (CSR). That is what you send off to the CA.

eigrpy · ‎08-11-2015

After I tried to send out the CSR, it looks like the CSR is pending there in ASDM. Sending it to CA is what we want, right ? if so, how to send it to CA ? Thank you.

Marvin Rhoads · ‎08-11-2015

As noted in step 5 of the Cisco procedure, you save the CSR to a text file.

That text file needs to be sent to your CA.

For a public CA, it is either via a web portal (most common) or via email.

If it's your own internal CA, and you administer it, you might just copy the text onto the CA server's certificate issuing tool.

Install certificate in ASA