cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA SSLVPN certifiacte chain install problem

horvaia
Beginner
Beginner

Hello,

I have the following problem:

I ordered a certificate from Geotrust. Geotrust signed my certificate with an intermediate certificate. The problem that

ASA needs the Geotrust global ceritificate to be installed to accept my device certificate (intermediate certificate needs to be

authenticated as well). When I install my device certificate on the firewall I got this error:

"ERROR: Failed to parse or verify imported ceritificate"

I do not know the way how to add two authentication certificate on ASA.

I need similar solution like this:

https://supportforums.cisco.com/docs/DOC-15367

So the question how to arrange the installed certificates into chain on Cisco ASA.

My firewall frimware/type is:

Cisco Adaptive Security Appliance Software Version 8.3(2)

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Please help, I am out of ideas.

Andras

11 REPLIES 11

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Andras,

configure 2 trustpoints, import the root into one, and import the intermediate & identity certs into the other.

If this doesn't work please tell us what error message you get at which step.

hth

Herbert

Hi Herebert,

First of all thank you for your answer. What you wrote is what I tried but with no luck. I got the same error message:

"ERROR: Failed to parse or verify imported ceritificate" as before. The error message came when I tried to add the identity cert to the device.

Andras

Which command are you using to import the identity cert ? "crypto ca import ..." ?

What format is the cert in?

command I use to import the identity cert: crypto ca import TRUSTPOINT_NAME certificate

the cert is in base64 format.

(chars between

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

)

the error is:

ERROR: Failed to parse or verify imported certificate

I got this note before importing: (but this should not be the problem)

WARNING: The certificate enrollment is configured with an fqdn

that differs from the system fqdn. If this certificate will be

used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

Are you including the BEGIN and END lines? Please do.

If that does not help, enable "debug crypto ca ..." (all of it) and try again.

Could you post the certificate (or send it to me in a private message if you prefer)?

Herbert