05-23-2019 11:06 AM - edited 02-21-2020 09:39 PM
The SSL cert is from GoDaddy. I renewed and downloaded the certs from GoDaddy. Below is what I did to try to load it through ASDM,
1. Installed(renewal) the newly downloaded GoDaddy CA certificate through ASDM under Certificate Management > CA Certificates.
2. Generated a CSR under Certificate Management > Identity Certificates
For the Step 2, I did:
Chose Add a new identity certificate
Generated the General Purpose Key Pair
Entered all the Attribute Values for the CSR
Entered the FQDN
3. After the above, I got a pending item under the Identity Certificates box. Then I tried to install the new cert downloaded from GoDaddy.
But I got the pop up error message saying "...Certificate does not contain device's General Purpose public key... Failed to parse or verify imported certificate..."
Please advise what went wrong with my steps. Thanks very much!
Solved! Go to Solution.
05-23-2019 05:31 PM - edited 05-24-2019 06:47 AM
When you use the rekey option, GoDaddy uses the "SAME" private/public keypair to generate a new certificate. What you need to do is to create a new trustpoint with the exact same config as before. An example below. The important config to keep the same is the "keypair" command the same as the old trustpoint:
MainASA(config)# crypto ca trustpoint SSL-Trustpoint MainASA(config-ca-trustpoint)# enrollment terminal MainASA(config-ca-trustpoint)# fqdn vpn.remoteasa.com MainASA(config-ca-trustpoint)# subject-name CN=vpn.remoteasa.com,O=Company Inc,C=US,
St=California,L=San Jose MainASA(config-ca-trustpoint)# keypair SSL-Keypair MainASA(config-ca-trustpoint)# exit
Once you create the trustpoint, import the CA and identity cert into the trustpoint using CLI. Step 1.2 in the doc:
If you have already generated a new CSR, then submit that to GoDaddy and follow the steps given in this doc:
05-23-2019 11:15 AM
Just wondering, after generating the new CSR, do I need to submit the CSR to GoDaddy to regenerate a new cert to upload to the ASA?
05-23-2019 12:10 PM
Hi,
Once you generate the CSR on the ASA, you submit that to GoDaddy, who will then sign the certificate request and then provide you with the signed certificate. You then import the certificate and the trusted root/intermediate certificates into the ASAs trustpoint.
HTH
05-23-2019 12:59 PM
When I renewed the SSL cert form GoDaddy, they actually issued me two files, one is the CA cert and the other one is actual SSL cert. They are both .crt files. This is where I am not sure about. Is the SSL cert they issued to me the one that I should upload to the ASA? Or should I do what you said, generate a new CSR from ASA, upload it to GoDaddy, then let GoDaddy generate a new SSL cert (GoDaddy calls it Re-Key) for me to upload to ASA?
05-23-2019 01:02 PM
05-23-2019 05:31 PM - edited 05-24-2019 06:47 AM
When you use the rekey option, GoDaddy uses the "SAME" private/public keypair to generate a new certificate. What you need to do is to create a new trustpoint with the exact same config as before. An example below. The important config to keep the same is the "keypair" command the same as the old trustpoint:
MainASA(config)# crypto ca trustpoint SSL-Trustpoint MainASA(config-ca-trustpoint)# enrollment terminal MainASA(config-ca-trustpoint)# fqdn vpn.remoteasa.com MainASA(config-ca-trustpoint)# subject-name CN=vpn.remoteasa.com,O=Company Inc,C=US,
St=California,L=San Jose MainASA(config-ca-trustpoint)# keypair SSL-Keypair MainASA(config-ca-trustpoint)# exit
Once you create the trustpoint, import the CA and identity cert into the trustpoint using CLI. Step 1.2 in the doc:
If you have already generated a new CSR, then submit that to GoDaddy and follow the steps given in this doc:
05-24-2019 08:53 AM
Hi Rahul,
Thanks much for the details!
Just curious, why would GoDaddy issue me two certs after I renewed it? One is the CA cert and the other one I assumed is the actual SSL cert.
05-24-2019 10:10 AM
The CA cert that GoDaddy provides in the bundled zip file is it's own certificate. This is just so that you can build a chain on whatever device you are installing the ID cert on. This cert is publicly available on the Godaddy website as well:
https://ssl-ccp.godaddy.com/repository?origin=CALLISTO
05-24-2019 10:15 AM
These are the two files I have. I believe what you mentioned that the public available one is the gd_bundle-g2-g1.crt. What about the other one?
05-24-2019 11:17 AM
Correct. First one is the Godaddy CA cert chain. Other one (random name) is the identity cert issued to you based on the CSR you provided GoDaddy.
05-24-2019 11:21 AM
I have not upload the new CSR I created through ASA to GoDaddy yet. When I paid and renewed the SSL cert on GoDaddy, they just issued to me. Does that mean they were using the old CSR to issue the cert to me?
05-24-2019 12:05 PM
Correct. During renewal, if you use the rekey option, GoDaddy uses the old CSR info and issues a new certificate. This is why you need to keep the new trustpoint config the same as the old one in order to import the newly generated cert onto the ASA. The ASA has the "keypair" command on the trustpoint. This tells the ASA that it should associate the cert with the key. If you try to associate the cert with a truspoint that does not match the right private key, it will fail.
05-24-2019 02:36 PM
All good now. You are right. I need to use the old KeyPair when I create the new identity. Thank you so much for all the help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: