11-24-2020 02:18 PM
Hi All I could use a point in the right direction.
The Web admin received an updated from Godaddy that the Cert fro our ASA which provides VPN needs renewing. He just followed the bouncing ball and renewed and sent me the Zip with the CRT files and also the CSR file. I've not done a renewal this way before.
I was able to under CA Certificates add a ASDM_Trustpoint from the gd_bundle-g2-g1.crt file but then I assume I need to add an Identity. I go to Identity and I can see the status as pending. I then try to install and this is where I hit an issue. I select the CRT file with the random number that the Web Admin sent me but it comes up with an error - Certificate does no contain Devices General Purpose Key.
I dont know what I'm missing here as I'm not aware of a key?
Can anyone advise where I'm going wrong?
Best Regards
David
Solved! Go to Solution.
11-24-2020 05:37 PM
If you renewing with the same provider follow the below guide :
11-25-2020 01:38 PM
I think what you would need is just to import the renewed identity cert under the trust point that needs to be renewed. Open up the renewed cert with a text editor, copy its content, go to CLI and issue the command crypto ca import <the trust point name> and hit enter, paste the cert content and then type quit and hit enter. To verify the new cert use the command show crypto ca certificates <the trust point name>.
11-24-2020 05:37 PM
If you renewing with the same provider follow the below guide :
11-25-2020 01:38 PM
I think what you would need is just to import the renewed identity cert under the trust point that needs to be renewed. Open up the renewed cert with a text editor, copy its content, go to CLI and issue the command crypto ca import <the trust point name> and hit enter, paste the cert content and then type quit and hit enter. To verify the new cert use the command show crypto ca certificates <the trust point name>.
11-26-2020 03:34 AM
Thanks Aref and BB for the response. To be honest my knowledge is a bit light when it comes to Certificates, I tried to past in the Cert and get the following error
Cannot import certificate -
Certificate does not contain device's General Purpose public key
for trust point ASDM_TrustPoint1
ERROR: Failed to parse or verify imported certificate
I'm not sure where I'm going wrong.
David
11-27-2020 04:59 AM
As noted in this section of the link provided earlier:
...the renewal CSR (Certificate Signing Request) must be generated on the ASA. Only by doing that does the ASA then automatically have the private key associated with the issued certificate.
The other, less common, option is if the person who generated the CSR elsewhere has the private key used when generating the request.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide