Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
5
Replies

India We are using Cisco ISR4431.having issue in importing CA Cert.

may272007
Level 1
Level 1

‎08-25-2023 08:27 AM

Hi, 

We are using Cisco ISR4431. we want to establish certificate based authentication IPsec tunnel with 3rdparty company. CA server is in 3rdparty infra. we don't have direct reachability to their server. We are doing exchange of certificates manually.

What we did so far I explaining.

3rdparty share their root, Issuing and immediate certificate with us. We installed root, Issuing and immediate certificate in our router successfully and generate CSR and share that CSR with 3rdparty. 3rdparty gave us certificate against that CSR but when we importing that certificate in our cisco router we are getting below error

%failed to parse or verify imported certificate

Can any one help what is the problem or how we can resolve this

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎08-25-2023 08:31 AM

@may272007 did you generate the CSR from the router itself? Using crypto pki enroll <TRUSTPOINT_NAME> then to import the signed CSR run crypto pki import <TRUSTPOINT_NAME> certificate?

0 Helpful

may272007
Level 1
Level 1

‎08-25-2023 07:11 PM

@may272007 did you generate the CSR from the router itself? Using crypto pki enroll <TRUSTPOINT_NAME> then to import the signed CSR run crypto pki import <TRUSTPOINT_NAME> certificate?  Yes

0 Helpful

may272007
Level 1
Level 1
In response to may272007

‎08-25-2023 07:23 PM

Below are the steps we followed
 
ip domain-name abcxx.com
clock timezone IST 5 30
clock set 14:10:00 12 July 2023
conf t
crypto key generate rsa modulus 4096 general-keys
crypto pki trustpoint xxxxxxxxxx
chain-validation continue NokiaTunnelAP.go22.gpe.local
enrollment terminal
fqdn finlandpri.cisco.com
subject-name C = xx, ST = xx, L = xx, O = xx-SSE, OU = xx, CN =xx
revocation-check none
exit
crypto pki authenticate xxxxxxxxxx
 
pasted the root, issuing and immediate certificate here provided by 3rdparty
 
quit
Certificate has the following attributes:
        Fingerprint MD5: yyyyyyyyyyyyyyyyyyyyyyyyyyy
      Fingerprint SHA1: yyyyyyyyyyyyyyyyyyyyyyyyyyy
 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
 
Do you accept this certificate?[yes/no] yes
 
 
crypto pki enroll xxxxxxxxx
include serial no in subject-name? no
include ip address in subject-name? no
display certificate request to terminal? [yes/no] yes
 
 
 
  ********* Here is  CSR*****************
 
 
Redisplay enrollment request? no
 
 
 
CSR copied and shared to 3rdparty and 3rdparty gave us certificate
 
then we tried to import certificate
 
#crypto pki import xxxxxxxxxx certificate
 
paste the copied certificate
 
quit
 
% Failed to parse or verify imported certificate
0 Helpful

may272007
Level 1
Level 1

‎08-29-2023 12:07 AM

Can Any help to answer 

0 Helpful

Pavan Gundu
Cisco Employee
Cisco Employee

‎08-30-2023 01:51 PM

What do these debugs say when you try to import the signed certificate?

deb cry pki transactions

deb cry pki messages

 

0 Helpful
Customers Also Viewed These Support Documents