Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

ASA SSLVPN certifiacte chain install problem

horvaia
Beginner
Beginner

‎10-12-2011 05:25 AM

Hello,

I have the following problem:

I ordered a certificate from Geotrust. Geotrust signed my certificate with an intermediate certificate. The problem that

ASA needs the Geotrust global ceritificate to be installed to accept my device certificate (intermediate certificate needs to be

authenticated as well). When I install my device certificate on the firewall I got this error:

"ERROR: Failed to parse or verify imported ceritificate"

I do not know the way how to add two authentication certificate on ASA.

I need similar solution like this:

https://supportforums.cisco.com/docs/DOC-15367

So the question how to arrange the installed certificates into chain on Cisco ASA.

My firewall frimware/type is:

Cisco Adaptive Security Appliance Software Version 8.3(2)

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Please help, I am out of ideas.

Andras

Labels:
0 Helpful
11 REPLIES 11

Herbert Baerten
Cisco Employee
Cisco Employee

‎10-16-2011 02:14 AM

Hi Andras,

configure 2 trustpoints, import the root into one, and import the intermediate & identity certs into the other.

If this doesn't work please tell us what error message you get at which step.

hth

Herbert

0 Helpful

horvaia
Beginner
Beginner
In response to Herbert Baerten

‎10-17-2011 02:03 AM

Hi Herebert,

First of all thank you for your answer. What you wrote is what I tried but with no luck. I got the same error message:

"ERROR: Failed to parse or verify imported ceritificate" as before. The error message came when I tried to add the identity cert to the device.

Andras

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to horvaia

‎10-18-2011 02:00 AM

Which command are you using to import the identity cert ? "crypto ca import ..." ?

What format is the cert in?

0 Helpful

horvaia
Beginner
Beginner
In response to horvaia

‎10-18-2011 03:03 AM

command I use to import the identity cert: crypto ca import TRUSTPOINT_NAME certificate

the cert is in base64 format.

(chars between

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

)

the error is:

ERROR: Failed to parse or verify imported certificate

I got this note before importing: (but this should not be the problem)

WARNING: The certificate enrollment is configured with an fqdn

that differs from the system fqdn. If this certificate will be

used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to horvaia

‎10-18-2011 03:20 AM

Are you including the BEGIN and END lines? Please do.

If that does not help, enable "debug crypto ca ..." (all of it) and try again.

Could you post the certificate (or send it to me in a private message if you prefer)?

Herbert

0 Helpful