Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6768
Views
0
Helpful
2
Replies

Installing a .pfx certificate file on a router for an SSL VPN

andrews7385
Level 1
Level 1

‎12-01-2010 09:29 PM

I have an SSL VPN running on a 3825 router.  The VPN works fine no issues.  Right now it has a self signed cert on it.  Our company bought a wild card cert from godaddy.  It was requested and generated from another server.  I asked Godaddy how to put that on the router, when the router is not the one that generated the key.  They said the server where it was installed should export it to a .pfx file and I could install it then.

Well  I have the pfx file but I cannot figure out how to install it.  I have tried a number of different ways.  Most of the documentation I have found says to create a trustpoint and then import it.

So I put the .pfx file in flash.

I create a trustpoint "crypto pki trustpoint godaddy", I've tried every different "enrollment" option after that

Then I try to import it and get an error every time.  I have tried importing from flash and from tftp.  No matter how I do it, it ends up like this

sslvpn-3(config)#cry pki import godaddy pkcs12 flash: password99
% Importing pkcs12...
Source filename [godaddy]? wildcardexportcert.pfx
Reading file from flash:wildcardexportcert.pfx
CRYPTO_PKI: Import PKCS12 operation failed, failure status = 0x711

I have 2 routers with the vpn on it and got the same result, so clearly I just don't know how to do it.  I have installed certs a number of times when the router was the one that created the key, but I have never used a wildcard and a .pfx before.

Can anyone help me out?

Labels:
0 Helpful
2 Replies 2

Erik Ingeberg
Level 1
Level 1

‎12-02-2010 03:34 AM

Check if there are empty fields in the certificate you are trying to import, that could cause the import to fail. Also CN field values longer than 64 characters will cause this error.

0 Helpful

rahgovin
Level 4
Level 4

‎12-02-2010 09:23 AM

It seems to be an known issue with the godaddy certificate....where "*" is not an allowed value in the printable string value inside the certificate. It does not follow the 3280 RFC standard for ASN1 certficates. Ask them not to use "*" in the Printablestring field while encoding or you can rekey using a non-wildcard certificate.

0 Helpful
Customers Also Viewed These Support Documents