Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5389
Views
5
Helpful
3
Replies

ASA 8.4.3 Install Certificate for webvpn without CSR

Go to solution
tomvanleeuwen
Level 1
Level 1

‎10-22-2013 05:05 AM

Hi guys,

I've been spending a lot of time trying to install our company wildcard certificate into the ASA for use with anyconnect, but been failing misserably continuously. I've red a lot of posts, but don't really know what I am doing.

From our webserver I retrieved DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a wildcard certificate for mycompany.com.

The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on website: https://www.digicert.com/digicert-root-certificates.htm
with serial "0A5F114D035B179117D2EFD4038C3F3B".

On the ASA I've checked that I have no trustpoint present. The commands: "sh crypto ca certificates" and "sh crypto ca trustpoints" yield no output.

Okay, so lets start configuring and run into issues:

ASA(config)# crypto ca trustpoint star.mycompany.com

ASA(config-ca-trustpoint)#  fqdn webvpn.mycompany.com

ASA(config-ca-trustpoint)#  enrollment terminal

ASA(config-ca-trustpoint)#  revocation-check none

ASA(config-ca-trustpoint)#  exit

ASA(config)# crypto ca authenticate star.mycompany.com

Enter the base 64 encoded CA certificate.

End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

### CONTENTS OF DigiCertCA.crt ###

-----END CERTIFICATE-----

quit

INFO: Certificate has the following attributes:

Fingerprint:     c68b9930 c8578d41 6f8c094e 6adb0c90

Do you accept this certificate? [yes/no]: yes

Trustpoint 'star.mycompany.com' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported

ASA(config)# crypto ca import star.mycompany.com certificate

WARNING: The certificate enrollment is configured with an fqdn

that differs from the system fqdn. If this certificate will be

used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: webvpn.mycompany.com

Enter the base 64 encoded certificate.

End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

### CONTENTS OF star.mycompany.com_cert.pem ###

-----END CERTIFICATE-----

quit

Cannot import certificate -

   Certificate does not contain device's General Purpose public key

   for trust point star.mycompany.com

ERROR: Failed to parse or verify imported certificate

ASA(config)#

Please help me out!! I'm no guru with certificates.

Kind regards,

Tom van Leeuwen

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michael Muenz
Level 5
Level 5

‎10-22-2013 05:42 AM

Tom,

you have to create a PKCS12 Container which includes certificate, key und CA.

I only know how to do this with linux, no idea with Windows

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Michael Muenz
Level 5
Level 5

‎10-22-2013 05:42 AM

Tom,

you have to create a PKCS12 Container which includes certificate, key und CA.

I only know how to do this with linux, no idea with Windows

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful

Go to solution
tomvanleeuwen
Level 1
Level 1
In response to Michael Muenz

‎10-22-2013 06:07 AM

Luckily I'm running ubuntu and I've got it to work!

root.crt:

cat DigiCertHighAssuranceEVRootCA.pem DigiCertCA.crt > root.crt


openssl pkcs12 -export -in star.mycompany.com_cert.pem -inkey star.mycompany.com_key.pem -certfile root.crt -out bundle.p12

Enter Export Password: secret

Verifying - Enter Export Password: secret

cat bundle.p12 | base64

On the ASA:

ASA(config)# crypto ca import star.mycompany.com pkcs12 secret

Enter the base 64 encoded pkcs12.

End with the word "quit" on a line by itself:

# BASE64 OUTPUT OF bundle.p12 #

quit

% The CA cert is not self-signed.

% Do you also want to create trustpoints for CAs higher in

% the hierarchy? [yes/no]: yes

INFO: Import PKCS12 operation completed successfully

ssl trust-point star.mycompany.com outside

Works!

Thanks!!!

Go to solution
Michael Muenz
Level 5
Level 5
In response to tomvanleeuwen

‎10-22-2013 06:08 AM

Linux rocks

Thanks for rating

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents