cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
433
Views
10
Helpful
4
Replies
Highlighted
Beginner

GoDaddy Cert renewal - Confused

Hi All I could use a point in the right direction.  

 

The Web admin received an updated from Godaddy that the Cert fro our ASA which provides VPN needs renewing.  He just followed the bouncing ball and renewed and sent me the Zip with the CRT files and also the CSR file.  I've not done a renewal this way before.

 

I was able to under CA Certificates add a ASDM_Trustpoint from the gd_bundle-g2-g1.crt file but then I assume I need to add an Identity.  I go to Identity and I can see the status as pending.  I then try to install and this is where I hit an issue.  I select the CRT file with the random number that the Web Admin sent me but it comes up with an error - Certificate does no contain Devices General Purpose Key.    

I dont know what I'm missing here as I'm not aware of a key?


Can anyone advise where I'm going wrong?

 

Best Regards

David

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Mentor

Highlighted
VIP Rising star

I think what you would need is just to import the renewed identity cert under the trust point that needs to be renewed. Open up the renewed cert with a text editor, copy its content, go to CLI and issue the command crypto ca import <the trust point name> and hit enter, paste the cert content and then type quit and hit enter. To verify the new cert use the command show crypto ca certificates <the trust point name>.

View solution in original post

4 REPLIES 4
Highlighted
VIP Mentor

Highlighted
VIP Rising star

I think what you would need is just to import the renewed identity cert under the trust point that needs to be renewed. Open up the renewed cert with a text editor, copy its content, go to CLI and issue the command crypto ca import <the trust point name> and hit enter, paste the cert content and then type quit and hit enter. To verify the new cert use the command show crypto ca certificates <the trust point name>.

View solution in original post

Highlighted

Thanks Aref and BB for the response.  To be honest my knowledge is a bit light when it comes to Certificates,  I tried to past in the Cert and get the following error

 

Cannot import certificate -
Certificate does not contain device's General Purpose public key
for trust point ASDM_TrustPoint1
ERROR: Failed to parse or verify imported certificate

 

I'm not sure where I'm going wrong.

 

David

 

Highlighted
Hall of Fame Guru

As noted in this section of the link provided earlier:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc20

...the renewal CSR (Certificate Signing Request) must be generated on the ASA. Only by doing that does the ASA then automatically have the private key associated with the issued certificate.

The other, less common, option is if the person who generated the CSR elsewhere has the private key used when generating the request.

Content for Community-Ad