We purchased a SSL certficate from network solutions to interface with our webvpn connections. This is what they sent us:
WEBVPN.MYSITE.COM.crt (name changed to protect privacy)
I've had absolutely no luck getting the identity certificate installed, and I have no idea what the other certs are really used for.
I figured that using the ASDM was easier to deal with certs so I navigated to the identity certificates section. I tried to import an identity certificate from a file by browsing to the identity certificate and click add certificate. But it stops me and says "Passphrase cannot be empty." I talked to network solutions and they don't have a passphrase for me. So then I just make up anything and click Add Certificate but I get stopped with this error: ERROR: Import PKCS12 operation failed.
At the identity certificates page in ASDM I clicked Add and then tried to add a new identity certificate by filling out all the parameters. This prompts me to save a CSR file to my computer. Ok done. But the certificate is not 'installed'.
To get the certificate installed I tried clicking 'install' and browsing to WEBVPN.MYSITE.COM.crt. Upon hitting OK I get stopped with the following error: Cannot import certificate - Certificate does not contain device's General Purpose public key for trust point ASDM_TrustPoint1. ERROR: Failed to parse or verify imported certificate.
I thought the CSR file is something important so I sent the CSR file to network solutions and they sent back a 'validation.xps' file. I tried to use this to 'install' into the identity certificate I just added. Unfortunately I get the following error when doing so: ERROR: Failed to parse or verify imported certificate.
I called network solutions and tried to explain to them and they of course had no idea what I'm talking about.
Is anyone familiar with this process that can point me in the right direction to install the cert?Thanks
Please post the output of show crypto ca certificate and also the show crypto ca trustpoint. Let me know from which trustpoint you created the CSR initially while sending the first request.
I know this is a really old question and our solution was pretty silly, but this is still one of the top results for "Passphrase cannot be empty."
In our case, the cert we had purchased was not in PKCS12 format, but the regular PEM format. You need to convert it using openssl:
openssl pkcs12 -export -in prod_cert.pem -out prod_cert.pkcs12 -name "New Cert"
It will ask you for a password, which you supply, then use that cert and password with the Cisco Cert import.
They're one of the few appliances I have seen that don't accept unencrypted PEM files.
Hope this is of use to someone else.