cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12695
Views
0
Helpful
4
Replies

Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

jni
Level 1
Level 1

Hello

I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.

Setup:

We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR:  A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.

Configuration in regards to certificate:

crypto key generate rsa label vpn.company.dk modulus 2048

!

crypto ca trustpoint vpn.trustpoint

keypair vpn.company.dk

fqdn none

subject-name CN=*.company.dk,C=DK

!id-usage ssl-ipsec

enrollment terminal

crl configure

!

crypto ca authenticate vpn.trustpoint

! <import intermediate certificate>

!

crypto ca enroll vpn.trustpoint

! <send CSR to CA>

!

crypto ca import vpn.trustpoint certificate

! <import SSL cert received back from CA>

!

ssl trust-point vpn.trustpoint outside

Problem:

When I try to import the certificate I receive the following error:

crypto ca import vpn.trustpoint certificate

WARNING: The certificate enrollment is configured with an fqdn

that differs from the system fqdn. If this certificate will be

used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name will not be included in the certificate

Enter the base 64 encoded certificate.

End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

<certificate>

-----END CERTIFICATE-----

quit

ERROR: Failed to parse or verify imported certificate

Question:

- Does any one of you have any pointers in regards to what is going wrong?

- Especially in regards to fqdn and CN, I also have a question. My config

fqdn none

subject-name CN=*.company.dk,C=DK

would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".

So do you have insight or pointers which might help me?

Thank you in advance

4 Replies 4

jni
Level 1
Level 1

No one who can help?

I would really appreciate any help from you bright minds

Moved the question to VPN group. Hope that anyone can help here instead

ihernandez81
Level 1
Level 1

I also have a wildcard cert for my SSL VPN ASAs.

When i import the cert I use ASDM instead of CLI...

I import the wildcard as a *.pfx file and type in the password. works fine...

Perhaps the format is incorrect?

Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.

Not sure if this helps but give ASDM a try?

AG
Level 1
Level 1

I think this is related to the private key you generate at the beginning.

Wildcard has one private key  - so for all devices on which you are using it, you have to export this key. So also to the ASA. But you create a new one on the ASA -> crypto key generate rsa label vpn.company.dk modulus 2048.

Or am I wrong?

BR