cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4144
Views
0
Helpful
8
Replies
Beginner

Problem importing a certificate into an ASA

I have a customer who is doing something a little different than normal for me, and I'm having a problem getting this to work. He generated a certificate from another system, and has sent me the certificate which also includes the private key and CA and intermediate certs. I have the password for when this was exported. This is a little ASA-5505 running 8.2(5) that is sitting on the DMZ of a Firewall1, and there is no web access permitted to it - this is an IPSec VPN used by some phones and tablets, and they haven't wanted to upgrade to AnyConnect - it's command line only. Can anyone suggest ways I might try to import this certificate? I've exported it to a Base64. Thank you very much.

8 REPLIES 8
Beginner

Hi

Hi

Can you enable the following debugs while importing the certificate.

debug crypto ca mess 255

debug crypto ca trans 255

and also please let me know what is the signature algorithm being used in the certificate.

Is it, SHA1,SHA2 or MD5.

Regards

Jagmeet

Beginner

I pasted in the debug

I pasted in the debug commands and got nothing. Logging is enabled, and for grins it turned on "deb icmp tra", and that resulted in some lines. I was told the signature algorithm was sha-2. 

Beginner

Hello, 

Hello, 


If you have a password for the certificate this is a pkcs12 cert it will include the private keys of the cert you need to import it as it is with the private keys included otherwise the ASA will not accept it since the request was not generated directly from the ASA.

Command line process:

need to create a trustpoint to import the certificate:

crypto ca trustpoint ssl-cert

enrollment terminal 

exit

Authenticate the Trustpoint using the  the intermediate certificate

crypto ca authenticate ssl-cert 

Enter the base 64 encoded CA certificate.

quit

Import the certificate

crypto ca import ssl-cert pkcs12 <passphrase>

<paste in the base64 encoded pkcs12>

quit

that should do it.

Regards, please rate!

Beginner

I'm just not having any

I'm just not having any success, and I've attached the information regarding the certificate below. What I've done was to authenticate the trust point using the intermediate certificate from Verisign's/Symantec's web site for a certificate type "Secure Site", which is given at https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2108. That works fine, and the ASA responds with "CRYPTO_PKI: Inserted cert into list." Next, I try to import the certificate using "crpto ca import ssl-cert pkcs12 <passphrase>, which results in "-----END CERTIFICATE-----
quit
ERROR: Import PKCS12 operation failed"

I've also tried to copy and past various part of the PKCS12 certificate relating to Symantec/Verisign as the intermediate certificate, but that hasn't helped. I'd be grateful for any more assistance.

===> Certificate information

Bag Attributes

localKeyID: 01 00 00 00
friendlyName: 627d1bd1-c529-11e5-aad8-02573e52107d
Microsoft CSP Name:
Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 10
-----BEGIN PRIVATE KEY-----
IhpHbu1kwEl7LSFzNfPjI628n1sZQ/UQURmGn7h85RotDcrWPl7fFBaV8M7GREH
-----END PRIVATE KEY-----
Bag
Attributes
localKeyID: 01 00 00 00
1.3.6.1.4.1.311.17.3.92: 00 08 00 00
1.3.6.1.4.1.311.17.3.20: 00 80 1A 05
4A 7C 44 E0 BB 62 52 E8 64 83 1C 54 2C 59 6E A9
subject=/CN=Persona Not Validated -
1453921726457/emailAddress=user@domain.com/OU=S/MIME/OU=Persona Not Validated/OU=Symantec Trust Network
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not Validated/CN=Symantec Class 1 Individual
Subscriber CA - G5
-----BEGIN CERTIFICATE-----
/NtKOYTPH8XwOAWFUkdkol921MI318qe1xJ55pL+EDcMfLeFzFOZirAOCWS1H-----END CERTIFICATE-----
Bag
Attributes
1.3.6.1.4.1.311.17.3.92: 00 08 00 00
1.3.6.1.4.1.311.17.3.29: D6 54 F1 11 75 B4 B3 F7 5F AD 34 CF 66
E0 A3 9A
friendlyName: VeriSign
1.3.6.1.4.1.311.17.3.20: 55 19 B2 78 AC B2 81 D7 ED A7 AB C1 83 99 C3 BB 69 04 24
B5
1.3.6.1.4.1.311.17.3.9: 30 14 06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 04

1.3.6.1.4.1.311.17.3.98: CB B5 AF 18 5E 94 2A 24 02 F9 EA CB C0 ED 5B B8 76 EE A3 C1 22 36 23 D0 04 47 E4 F3 BA 55 4B 65
subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 1 Public Primary Certification Authority - G3
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority
- G3
-----BEGIN CERTIFICATE-----
MIIEGjCCAwICEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAMI-----END CERTIFICATE-----
Bag Attributes

1.3.6.1.4.1.311.17.3.92: 00 08 00 00
1.3.6.1.4.1.311.17.3.20: 67 19 B6 3D A5 79 BB 33 60 D8 2D 53 D3 8C 09 3D 07 AC
18 70
subject=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not Validated/CN=Symantec Class 1
Individual Subscriber CA - G5
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For
authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority - G3
-----BEGIN CERTIFICATE-----
MIIGPDCCBSSgAwIBAgIQBwKiGoW4S2WeGApu5vWjZTANBgkqhkiG9w0BAQs-----END CERTIFICATE-----

Highlighted
Beginner

Hi, I had this same issue and

Hi, I had this same issue and after a lot of investigation I've made it work.

The issue is that the ASA expects to have the certificate in pkcs(.p12) format encoded with base64

you just need to take your .pfx file and encode in base64 with the following command

#openssl base64 -in xxxxx.pfx > xxxxx.base64

Then you need to open the file and add the PKCS Header and footer just copy and paste it without leaving any space.

-----BEGIN PKCS12-----
-----END PKCS12-----


The end result would be like this:

-----BEGIN PKCS12-----
yH54bCdLWTlWGhXnPC9pGpL9aXGgsmQV/odoxbEa+fZiDpLL+ZRrN2Up7onCC53l
4Qoh76ju/j9vMlRIE5bAUvMqsCl50CP//C50IuSTvBWyN1/M0RclwK4D7wtwGWfz
.................
.................
m3MylWIXt83bP45nzCqmMKc1aiOVbdQQo8M7MSUwIwYJKoZIhvcNAQkVMRYEFDLo
hsQ3m0hoYwLODqBXBpfpM7mWMDEwITAJBgUrDgMCGgUABBR1pxMEpEZwWkvnJauW
9UvnuP403wQIyRcfzvL8incCAggA
-----END PKCS12-----

Now you have your certificate ready for importing it into the ASA. Execute:

crypto ca certificate [your truspoint name you want] pkcs12 [pkcs12 password]

My example

ASA(config)# crypto ca certificate wildcard.brato.local pkcs12 1234567890
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:

-----BEGIN PKCS12-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END PKCS12-----
quit

INFO: Import PKCS12 operation completed successfully

Verify that the truspoint was created:
ASA(config)# show crypto ca trustpoints BRATO

Trustpoint BRATO:
Not authenticated.


Verify that the key was created:
ASA(config)# show crypto key mypubkey rsa | b BRATO
Key name: BRATO
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

The last step is to add the root and the intermediate certifcates to the chain. That is why you have a NOT AUTHENTICATED truspoint.
You need to encode your certificates chain with base64 again. Remember that on the certificate chain you need to form the chain in the issuing order:

CERT INTERMEDIATE
CERT ROOT1
CERT ROOT2
CERT ETC.

you will end with something like this:


-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----

Execute:

crypto ca truspoint BRATO
enrollment terminal
exit
crypto ca authenticate BRATO
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself


MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB

Certificate has the following attributes:
Fingerprint: xxxxxxx xxxxxxxx xxxxxxx xxxxx
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported


ASA(config)# show crypto ca trustpoint BRATO
Trustpoint BRATO:
Subject Name:
cn=brato-DC-CA
dc=brato
dc=local
Serial Number: gglfshlkahfklsahflkhaslkf
Certificate configured.

Cisco Employee

Hi ,

Hi ,

If the signature algorithm is SHA-2 you cannot have the certificate installed on the ASA on code 8.2(5) and that i because of the below bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCti30937/?reffering_site=dumpcr

Once you upgrade the code to the fixed version , it should be good.

Hope that helps

Thanks

Shakti

Contributor

Re: Problem importing a certificate into an ASA

I imported an existing .pem file into Internet Explorer (IE) and made sure that the private key was exportable. I then exported the certificate and key with the DES encryption (not AES), and imported it into the ASA.  I know that you can make changes with OpenSSL as well, but IE was an easy method for me.

Contributor

Re: Problem importing a certificate into an ASA

I recently imported a new certificate and key into IE and made sure the key was set to exportable. I exported the certificate and key as DES and it worked again. I just wanted to post an update that this process still works.