10-12-2011 05:25 AM
Hello,
I have the following problem:
I ordered a certificate from Geotrust. Geotrust signed my certificate with an intermediate certificate. The problem that
ASA needs the Geotrust global ceritificate to be installed to accept my device certificate (intermediate certificate needs to be
authenticated as well). When I install my device certificate on the firewall I got this error:
"ERROR: Failed to parse or verify imported ceritificate"
I do not know the way how to add two authentication certificate on ASA.
I need similar solution like this:
https://supportforums.cisco.com/docs/DOC-15367
So the question how to arrange the installed certificates into chain on Cisco ASA.
My firewall frimware/type is:
Cisco Adaptive Security Appliance Software Version 8.3(2)
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Please help, I am out of ideas.
Andras
10-16-2011 02:14 AM
Hi Andras,
configure 2 trustpoints, import the root into one, and import the intermediate & identity certs into the other.
If this doesn't work please tell us what error message you get at which step.
hth
Herbert
10-17-2011 02:03 AM
Hi Herebert,
First of all thank you for your answer. What you wrote is what I tried but with no luck. I got the same error message:
"ERROR: Failed to parse or verify imported ceritificate" as before. The error message came when I tried to add the identity cert to the device.
Andras
10-18-2011 02:00 AM
Which command are you using to import the identity cert ? "crypto ca import ..." ?
What format is the cert in?
10-18-2011 03:03 AM
command I use to import the identity cert: crypto ca import TRUSTPOINT_NAME certificate
the cert is in base64 format.
(chars between
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
)
the error is:
ERROR: Failed to parse or verify imported certificate
I got this note before importing: (but this should not be the problem)
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
10-18-2011 03:20 AM
Are you including the BEGIN and END lines? Please do.
If that does not help, enable "debug crypto ca ..." (all of it) and try again.
Could you post the certificate (or send it to me in a private message if you prefer)?
Herbert
10-18-2011 03:44 AM
Hi,
Yes, I include the BEGIN and the END statements.
here is the output of the debug:
ERROR: Failed to parse or verify imported certificate
FW01/act(config)#
Read 1172 bytes as CA certificate:0‚0‚x
CRYPTO_PKI(make trustedCerts list)
CRYPTO_PKI: Failed to verify the ID certificate using the CA certificate in trustpoint my.geotrust.tp.
CERT-C: E ../cert-c/source/p7contnt.c(167) : Error #703h
crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
crypto_certc_pkcs7_extract_certs_and_crls failed
CRYPTO_PKI: status = 1795: failed to verify or insert the cert into storage
the debug commands:
FW01/act# show debug crypto ca
debug crypto ca enabled at level 255
FW01/act# show debug crypto ca messages
debug crypto ca messages enabled at level 255
FW01/act# show debug crypto ca server
debug crypto ca server enabled at level 255
FW01/act# show debug crypto ca transactions
debug crypto ca transactions enabled at level 255
I need to get permission to send you the id certificate.
10-18-2011 04:02 AM
ok, I'd really like to have a look at the cert itself. Note that I'm only asking for the certificate (which is "public", after all the ASA will send it to anyone trying to connect to it), not the private key.
10-18-2011 05:29 AM
yes you are right, I sent you the cert to your private account.
10-19-2011 02:59 AM
Thanks, I've done a quick test trying to generate a new cert in my lab, with the same Subject as yours, and my ASA complains that it is not in X.500 format.
The problem seems to be the empty ST field. If I change "ST=," to "ST=XX," then it works fine.
So you'll have to ask Geotrust to issue you a new cert without the ST field, or with the ST field set to some value.
hth
Herbert
10-19-2011 03:39 AM
Herbert,
thanks for the update and hopefully for the solution. I will go back to Geotrust and ask them to do what
you mentioned to do and if it works for me also I will click "correct answer" and rate your solution.
thanks again,
Andras
10-24-2011 12:29 PM
Hello,
It seems like you are trying to “import” the Root CA certificate, but you cannot import that certificate, you need to "authenticate" it, please use this command instead,
crypto ca authenticate (name of trustpoint)
I suggest that you use a new trustpoint, it is possible that you have delete the intermediate and ID certificate and reinstall them in the following order,
Root Cert > Intermediate Cert > ID Cert
Please let me know if you have further questions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide