Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
6
Replies

Need to Export a WildCard Certificate for Use on Other ASAs

Go to solution
Teresa.A.Strickland
Level 1
Level 1

‎08-31-2022 09:15 AM

I've been going round and round with this. I installed a wildcard certificate on an ASA. Then I  exported the certificate to a pfx but I'm unable to import it on another ASA. I have an open TAC case and the tech tried all the same things I did. I am getting "Error: Import PKCS12 operation failed." I THINK I may be missing the public key since the export supposedly exports the certificate and private key. I've downloaded OpenSSL 1.1 but am unable to get any of the commands to work. Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Teresa.A.Strickland
Level 1
Level 1
In response to Teresa.A.Strickland

‎09-01-2022 10:09 AM

The solution is to create the wildcard CSR on a device with 9.12 firmware. You can then export it and import it on the other devices including 9.16 firmware. 

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎08-31-2022 09:28 AM

@Teresa.A.Strickland refer to this guide to export the certificate in PKCS12 format and importing.

0 Helpful

Go to solution
Teresa.A.Strickland
Level 1
Level 1

‎08-31-2022 10:09 AM

Thanks Rob. I've followed those instructions step for step. It is also the same URL the TAC engineer was using. Unfortunately, it isn't working. 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Teresa.A.Strickland

‎08-31-2022 12:39 PM

First you should get your openssl running so that you can verify if the PKCS12 file is really ok. There you can also check if the key is correctly in the file. Did you both try the CLI and ASDM imports? If I remember right, for the CLI import, the PFX needs to be base64, which is not needed for the ASDM-import.

0 Helpful

Go to solution
Teresa.A.Strickland
Level 1
Level 1
In response to Karsten Iwen

‎08-31-2022 01:52 PM

I ran the following commands in openssl and got the errors below. How do I get this working? The CA sent me different types of certificates including the root and intermediate certificates. Isn't there a way to combine them to work?

OpenSSL> pkcs12 -in __vpn_k12_ar_us.pfx -text -noout
pkcs12: Unrecognized flag text
pkcs12: Use -help for summary.
error in pkcs12
OpenSSL>

OpenSSL> pkcs12 -in __vpn_k12_ar_us.pfx -out vpn_k12_ar_us.pem -nodes

9372:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1130

 

0 Helpful

Go to solution
Teresa.A.Strickland
Level 1
Level 1

‎09-01-2022 08:15 AM

We've made substantial progress on the issue this morning. By chance we figured out that the certificate would work on other devices with 9.16 version of firmware but not on EOL devices with 9.12 software (5585). We are recreating the certificate on 5585 to see if it is forward compatible. We know it isn't backwards compatible. 

0 Helpful

Go to solution
Teresa.A.Strickland
Level 1
Level 1
In response to Teresa.A.Strickland

‎09-01-2022 10:09 AM

The solution is to create the wildcard CSR on a device with 9.12 firmware. You can then export it and import it on the other devices including 9.16 firmware. 

 

0 Helpful
Customers Also Viewed These Support Documents