Re: Problem installing Verisign SSL cert on VPN 3005 Concentrato

gary.merrick · ‎05-13-2005

I am trying to install a Verisign SSL cert to our Cisco VPN 3005 Concentrator, in order to secure WebVPN traffic with a trusted CA.

I have created the enrollment key on the 3005, and generated an SSL cert from Verisign's website (using the Apache web server hash, as I was told to do by a Cisco tech.)

However, when I attempt to complete the installation of the SSL cert on the VPN 3005, I receive an error message "Incomplete chain".

When I try to install the cert directly to the external interface, using the shared key, I get an error of "parse error".

Any idea what is going on, and how I remedy this?

lathian · ‎05-18-2005

I have the same problem with VPN 3015. Contact VeriSign support they don't have a clue and told me to get help from Cisco.

Anyone knows how to solve this problem ?

Thanks alot

lathian · ‎06-02-2005

Problem solved when I downgraded image to 4.0.5B. Install SSL, and then upgrade to image latest image.

Rutger Blom · ‎07-15-2005

Hello,

What version did you downgrade from? I'm having the same problem and would like to solve it the way you did. I'm just afraid that I will lose a lot of config. I'm running version 4.7 with Secure Desktop and SSL VPN. Those things did not exist on version 4.05B. How did this work for you?

Kind regards,

Rutger

gnelsen · ‎06-13-2005

You need to install the root CA on the concentrator. YOu can export it from IE.

lathian · ‎07-15-2005

I downgrade from 4.7. The main reason to downgrade is just to install the SSL. When you downgrade you install SSL cert on Private Interface, then export from the private interface and import it in Public Interface when you upgrade to 4.7. Don't forget to install Root Verisign CA before installing SSL cert. To install CA you will have to export it from IE by going to Trusted Root Certification Authorities, look for Friendly Name : VeriSign/RSA Secure Server CA, expiration Date should be 1/7/2010, then hit Export and follow the wizard to complete the process.

Good luck

pcsupport · ‎09-14-2005

I downgraded from 4.7.1 to 4.0.5.B and still get the same error...has anyone any idea how you get an SSL cert from Verisign on the concentrator (3005) ..?????

thomascollins · ‎09-15-2005

Still having problems installing my cert, even after the downgrade to 4.1.7.A.

Looking in IE, I found a Verisign Trust Network root CA that I installed. From the Verisign website I also installed Secure Site Pro Intermediate from http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html

Still can't install any certs (incomplete chain). A verisign test cert (with the verisign test CA) works. So it makes me think I am still missing the right CA. Can anyone post the CA, or send me the verisign URL for it? Do you just need the root? or root + intermidate?

Thanks!

pcsupport · ‎09-23-2005

Thomas...you must make sure that the subject name of the CA Cert matches the Issuer of the SSL Cert that you got from verisign...

So, have a look at your SSL cert and get the Issuer name then go to to I.E (or whatever browser your using) and export the corresponding subject name cert...then install this CA on the concentrator...then go to install SSL and cut and paste your key that verisign sent you...

Good Luck

Problem installing Verisign SSL cert on VPN 3005 Concentrator?