Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2552
Views
15
Helpful
4
Replies

GoDaddy Cert renewal - Confused

Go to solution
davidfield
Level 3
Level 3

‎11-24-2020 02:18 PM

Hi All I could use a point in the right direction.  

 

The Web admin received an updated from Godaddy that the Cert fro our ASA which provides VPN needs renewing.  He just followed the bouncing ball and renewed and sent me the Zip with the CRT files and also the CSR file.  I've not done a renewal this way before.

 

I was able to under CA Certificates add a ASDM_Trustpoint from the gd_bundle-g2-g1.crt file but then I assume I need to add an Identity.  I go to Identity and I can see the status as pending.  I then try to install and this is where I hit an issue.  I select the CRT file with the random number that the Web Admin sent me but it comes up with an error - Certificate does no contain Devices General Purpose Key.    

I dont know what I'm missing here as I'm not aware of a key?


Can anyone advise where I'm going wrong?

 

Best Regards

David

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎11-25-2020 01:38 PM

I think what you would need is just to import the renewed identity cert under the trust point that needs to be renewed. Open up the renewed cert with a text editor, copy its content, go to CLI and issue the command crypto ca import <the trust point name> and hit enter, paste the cert content and then type quit and hit enter. To verify the new cert use the command show crypto ca certificates <the trust point name>.

View solution in original post

4 Replies 4

Go to solution
Aref Alsouqi
VIP
VIP

‎11-25-2020 01:38 PM

I think what you would need is just to import the renewed identity cert under the trust point that needs to be renewed. Open up the renewed cert with a text editor, copy its content, go to CLI and issue the command crypto ca import <the trust point name> and hit enter, paste the cert content and then type quit and hit enter. To verify the new cert use the command show crypto ca certificates <the trust point name>.

Go to solution
davidfield
Level 3
Level 3
In response to Aref Alsouqi

‎11-26-2020 03:34 AM

Thanks Aref and BB for the response.  To be honest my knowledge is a bit light when it comes to Certificates,  I tried to past in the Cert and get the following error

 

Cannot import certificate -
Certificate does not contain device's General Purpose public key
for trust point ASDM_TrustPoint1
ERROR: Failed to parse or verify imported certificate

 

I'm not sure where I'm going wrong.

 

David

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-27-2020 04:59 AM

As noted in this section of the link provided earlier:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc20

...the renewal CSR (Certificate Signing Request) must be generated on the ASA. Only by doing that does the ASA then automatically have the private key associated with the issued certificate.

The other, less common, option is if the person who generated the CSR elsewhere has the private key used when generating the request.

Customers Also Viewed These Support Documents