08-31-2022 09:15 AM
I've been going round and round with this. I installed a wildcard certificate on an ASA. Then I exported the certificate to a pfx but I'm unable to import it on another ASA. I have an open TAC case and the tech tried all the same things I did. I am getting "Error: Import PKCS12 operation failed." I THINK I may be missing the public key since the export supposedly exports the certificate and private key. I've downloaded OpenSSL 1.1 but am unable to get any of the commands to work. Any ideas?
Solved! Go to Solution.
09-01-2022 10:09 AM
The solution is to create the wildcard CSR on a device with 9.12 firmware. You can then export it and import it on the other devices including 9.16 firmware.
08-31-2022 09:28 AM
@Teresa.A.Strickland refer to this guide to export the certificate in PKCS12 format and importing.
08-31-2022 10:09 AM
Thanks Rob. I've followed those instructions step for step. It is also the same URL the TAC engineer was using. Unfortunately, it isn't working.
08-31-2022 12:39 PM
First you should get your openssl running so that you can verify if the PKCS12 file is really ok. There you can also check if the key is correctly in the file. Did you both try the CLI and ASDM imports? If I remember right, for the CLI import, the PFX needs to be base64, which is not needed for the ASDM-import.
08-31-2022 01:52 PM
I ran the following commands in openssl and got the errors below. How do I get this working? The CA sent me different types of certificates including the root and intermediate certificates. Isn't there a way to combine them to work?
OpenSSL> pkcs12 -in __vpn_k12_ar_us.pfx -text -noout
pkcs12: Unrecognized flag text
pkcs12: Use -help for summary.
error in pkcs12
OpenSSL>
OpenSSL> pkcs12 -in __vpn_k12_ar_us.pfx -out vpn_k12_ar_us.pem -nodes
9372:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1130
09-01-2022 08:15 AM
We've made substantial progress on the issue this morning. By chance we figured out that the certificate would work on other devices with 9.16 version of firmware but not on EOL devices with 9.12 software (5585). We are recreating the certificate on 5585 to see if it is forward compatible. We know it isn't backwards compatible.
09-01-2022 10:09 AM
The solution is to create the wildcard CSR on a device with 9.12 firmware. You can then export it and import it on the other devices including 9.16 firmware.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide