10-21-2014 02:49 AM
Dear all,
I'm in the process of implementing a GoDaddy Wildcard (*.mydomain.mytld) cert for a number of boxes amongst which there is our ASA. I have scrapped the old certs and did some housekeeping on their trustpoints etc, resulting in a pretty much clean config. ( I'm on 8.3).
I needed to enroll for the cert from a different box (Exchange 2010) and I exported the cert into cisco-pasteable CER format to have it ready for further deployment onto the ASA. Following is what I did (with cry ca debugging on), resulting in failure to import the wildcard cert. Can someone shed some light on what I'm doing wrong ? What I did was basically setup TP's for root and intermediate and then import the actual device cert.
Setup two trustpoints for RootCA and Intermediate TP:
gate0(config)# crypto ca trustpoint gdroot
gate0(config-ca-trustpoint)# enrollment terminal
gate0(config-ca-trustpoint)# revo none
---------
gate0(config)# crypto ca trustpoint gdinter
gate0(config-ca-trustpoint)# enroll terminal
gate0(config-ca-trustpoint)# fqdn mydomain.tld
----------------
Authenticate these:
gate0(config)# cry ca authenticate gdroot
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
quit
INFO: Certificate has the following attributes:
Fingerprint: [snip]
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Current Certificate list contents:
Certificate 1:
SERIAL: 00
ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US
CRYPTO_PKI: crypto_process_ra_certs(trust_point=gdroot)
gate0(config)# cry ca authenticate gdinter
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
quit
INFO: Certificate has the following attributes:
Fingerprint: [snip]
Do you accept this certificate? [yes/no]: yes
Trustpoint 'gdinter' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
% Certificate successfully imported
gate0(config)# CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0301, subject name: serialNumber=07969287,cn=Go Daddy Secure Certification Authority,ou=http://certificates.godaddy.com/repository,o=GoDaddy.com\, Inc.,l=Scottsdale,st=Arizona,c=US, issuer name: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US .
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Current Certificate list contents:
Certificate 1:
SERIAL: 0301
ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US
Certificate 2:
SERIAL: 00
ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US
CRYPTO_PKI: crypto_process_ra_certs(trust_point=gdinter)
Import the "device" wildcard cert:
crypto ca import gdinter cer
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name in the certificate will be: mydomain.tld
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
quit
ERROR: Failed to parse or verify imported certificate
CRYPTO_PKI: can not set ca cert object (0x722)
CRYPTO_PKI: status = 65535: failed to get key usage from cert
Solved! Go to Solution.
10-21-2014 06:44 AM
You may be seeing an issue due to not having generated the CSR on the ASA (with the ASA's private key) since you're using a wildcard cert.
There's a document here that explains how to get around that.
10-21-2014 06:44 AM
You may be seeing an issue due to not having generated the CSR on the ASA (with the ASA's private key) since you're using a wildcard cert.
There's a document here that explains how to get around that.
10-22-2014 02:39 AM
Hi Marvin,
still no joy.
what I did was:
Can you think of anything I may have done wrong ?
11-06-2014 02:09 AM
Marvin,
after 8.x -> 9.x and upgrading evrything else, it works. I knew I was outdated.
Next job: Finding out why the Anyconn warns about a cert name not matching even though the webGUI comes up w/o such errors and shows the correct cert......
11-06-2014 07:43 AM
You tell remote access VPN to use the certificate separate from ASDM using it.
"ssl trustpoint" is the relevant line in the configuration.
11-07-2014 04:51 AM
Yep, but the culprit was:
I did enter both the IP and the hostname in the .xml which in turn resulted that the ip would not authenticte while the fqdn would. I did that to make sure it works even in case of DNS issues on the client. I removed the IP and we're up and running.
Kudos & Thanks for your help, Marvin.
Dan
EDIT:
To anyone else reading this, I did exactly what marvin suggested, save that I was still on 8.x resulting in failure to import the cert which I prepared according to the process in the linked discussion. What I finally did was to upgrade to ASA 9.x latest and repeat it, resulting in the ASA nicely chewing everything up.
09-02-2016 02:47 PM
Hi, I had this same issue and after a lot of investigation I've made it work.
The issue is that the ASA expects to have the certificate in pkcs(.p12) format encoded with base64
you just need to take your .pfx file and encode in base64 with the following command
#openssl base64 -in xxxxx.pfx > xxxxx.base64
Then you need to open the file and add the PKCS Header and footer just copy and paste it without leaving any space.
-----BEGIN PKCS12-----
-----END PKCS12-----
The end result would be like this:
-----BEGIN PKCS12-----
yH54bCdLWTlWGhXnPC9pGpL9aXGgsmQV/odoxbEa+fZiDpLL+ZRrN2Up7onCC53l
4Qoh76ju/j9vMlRIE5bAUvMqsCl50CP//C50IuSTvBWyN1/M0RclwK4D7wtwGWfz
.................
.................
m3MylWIXt83bP45nzCqmMKc1aiOVbdQQo8M7MSUwIwYJKoZIhvcNAQkVMRYEFDLo
hsQ3m0hoYwLODqBXBpfpM7mWMDEwITAJBgUrDgMCGgUABBR1pxMEpEZwWkvnJauW
9UvnuP403wQIyRcfzvL8incCAggA
-----END PKCS12-----
Now you have your certificate ready for importing it into the ASA. Execute:
crypto ca certificate [your truspoint name you want] pkcs12 [pkcs12 password]
My example
ASA(config)# crypto ca certificate wildcard.brato.local pkcs12 1234567890
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END PKCS12-----
quit
INFO: Import PKCS12 operation completed successfully
Verify that the truspoint was created:
ASA(config)# show crypto ca trustpoints BRATO
Trustpoint BRATO:
Not authenticated.
Verify that the key was created:
ASA(config)# show crypto key mypubkey rsa | b BRATO
Key name: BRATO
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
The last step is to add the root and the intermediate certifcates to the chain. That is why you have a NOT AUTHENTICATED truspoint.
You need to encode your certificates chain with base64 again. Remember that on the certificate chain you need to form the chain in the issuing order:
CERT INTERMEDIATE
CERT ROOT1
CERT ROOT2
CERT ETC.
you will end with something like this:
-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----
Execute:
crypto ca truspoint BRATO
enrollment terminal
exit
crypto ca authenticate BRATO
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
Certificate has the following attributes:
Fingerprint: xxxxxxx xxxxxxxx xxxxxxx xxxxx
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
ASA(config)# show crypto ca trustpoint BRATO
Trustpoint BRATO:
Subject Name:
cn=brato-DC-CA
dc=brato
dc=local
Serial Number: gglfshlkahfklsahflkhaslkf
Certificate configured.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide