cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9398
Views
10
Helpful
12
Replies

AnyConnect SSL certificate renewal through ASDM failed

RabbitSF
Level 1
Level 1

The SSL cert is from GoDaddy. I renewed and downloaded the certs from GoDaddy. Below is what I did to try to load it through ASDM,

1. Installed(renewal) the newly downloaded GoDaddy CA certificate through ASDM under Certificate Management > CA Certificates.

2. Generated a CSR under Certificate Management > Identity Certificates

For the Step 2, I did:

Chose Add a new identity certificate

Generated the General Purpose Key Pair

Entered all the Attribute Values for the CSR

Entered the FQDN

3. After the above, I got a pending item under the Identity Certificates box. Then I tried to install the new cert downloaded from GoDaddy.

 

But I got the pop up error message saying "...Certificate does not contain device's General Purpose public key... Failed to parse or verify imported certificate..."

 

Please advise what went wrong with my steps. Thanks very much!

 

1 Accepted Solution

Accepted Solutions

When you use the rekey option, GoDaddy uses the "SAME" private/public keypair to generate a new certificate. What you need to do is to create a new trustpoint with the exact same config as before. An example below. The important config to keep the same is the "keypair" command the same as the old trustpoint:

 

MainASA(config)# crypto ca trustpoint SSL-Trustpoint
MainASA(config-ca-trustpoint)# enrollment terminal
MainASA(config-ca-trustpoint)# fqdn vpn.remoteasa.com
MainASA(config-ca-trustpoint)# subject-name CN=vpn.remoteasa.com,O=Company Inc,C=US,
St=California,L=San Jose
MainASA(config-ca-trustpoint)# keypair SSL-Keypair MainASA(config-ca-trustpoint)# exit

Once you create the trustpoint, import the CA and identity cert into the trustpoint using CLI. Step 1.2 in the doc:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc13

 

If you have already generated a new CSR, then submit that to GoDaddy and follow the steps given in this doc:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc20

 

View solution in original post

12 Replies 12

RabbitSF
Level 1
Level 1

Just wondering, after generating the new CSR, do I need to submit the CSR to GoDaddy to regenerate a new cert to upload to the ASA? 

Hi,

Once you generate the CSR on the ASA, you submit that to GoDaddy, who will then sign the certificate request and then provide you with the signed certificate. You then import the certificate and the trusted root/intermediate certificates into the ASAs trustpoint.

 

HTH

When I renewed the SSL cert form GoDaddy, they actually issued me two files, one is the CA cert and the other one is actual SSL cert. They are both .crt files. This is where I am not sure about. Is the SSL cert they issued to me the one that I should upload to the ASA? Or should I do what you said, generate a new CSR from ASA, upload it to GoDaddy, then let GoDaddy generate a new SSL cert (GoDaddy calls it Re-Key) for me to upload to ASA? 

I don't know how that initial SSL cert was generated, there is obviously an issue with it. If you generate a CSR, submit this for signing and import (along with the CA certificates) that should work.

When you use the rekey option, GoDaddy uses the "SAME" private/public keypair to generate a new certificate. What you need to do is to create a new trustpoint with the exact same config as before. An example below. The important config to keep the same is the "keypair" command the same as the old trustpoint:

 

MainASA(config)# crypto ca trustpoint SSL-Trustpoint
MainASA(config-ca-trustpoint)# enrollment terminal
MainASA(config-ca-trustpoint)# fqdn vpn.remoteasa.com
MainASA(config-ca-trustpoint)# subject-name CN=vpn.remoteasa.com,O=Company Inc,C=US,
St=California,L=San Jose
MainASA(config-ca-trustpoint)# keypair SSL-Keypair MainASA(config-ca-trustpoint)# exit

Once you create the trustpoint, import the CA and identity cert into the trustpoint using CLI. Step 1.2 in the doc:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc13

 

If you have already generated a new CSR, then submit that to GoDaddy and follow the steps given in this doc:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc20

 

Hi Rahul,

Thanks much for the details!

Just curious, why would GoDaddy issue me two certs after I renewed it? One is the CA cert and the other one I assumed is the actual SSL cert. 

The CA cert that GoDaddy provides in the bundled zip file is it's own certificate. This is just so that you can build a chain on whatever device you are installing the ID cert on. This cert is publicly available on the Godaddy website as well:

 

https://ssl-ccp.godaddy.com/repository?origin=CALLISTO

 

 

These are the two files I have. I believe what you mentioned that the public available one is the gd_bundle-g2-g1.crt. What about the other one? Screen Shot 2019-05-24 at 10.13.29 AM.png

 

Correct. First one is the Godaddy CA cert chain. Other one (random name) is the identity cert issued to you based on the CSR you provided GoDaddy. 

I have not upload the new CSR I created through ASA to GoDaddy yet. When I paid and renewed the SSL cert on GoDaddy, they just issued to me. Does that mean they were using the old CSR to issue the cert to me?

 

Correct. During renewal, if you use the rekey option, GoDaddy uses the old CSR info and issues a new certificate. This is why you need to keep the new trustpoint config the same as the old one in order to import the newly generated cert onto the ASA. The ASA has the "keypair" command on the trustpoint. This tells the ASA that it should associate the cert with the key. If you try to associate the cert with a truspoint that does not match the right private key, it will fail. 

All good now. You are right. I need to use the old KeyPair when I create the new identity. Thank you so much for all the help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: