07-15-2022 08:05 AM
Attempted to install a certificate in ASDM for a vASA.
Did this the other day on another vASA with no problem
The trustpoint gets created, but the messages "PKCS #12 import failed". If I watch the logs when doing the import, I get a ton of messages of the form "running 'N/A' from IP x.x.x.x, executed (and then a line of text that looks like the ascii text from a certificate file"
and followed by "executed the "(same text) command.
Running 9.16.
The csr and the certificate pfx bundle was created using openssl. Certificate came from InCommon.
"openssl pkcs12 -inkey cert.key -in cert.cer -certfile CAcerts,crt -export -out cert.pfx"
This is the same process used back in May on another vAsa, so am wondering if I have an issue the the current one, or I'm forgetting a step somewhere along the way.
Solved! Go to Solution.
08-01-2022 03:38 PM
In case anyone is curious. The problem was: 1. The Asa was configured for FIPS. 2. The commands I used to create the PFX bundle were not FIPS compliant
https://davidscode.com/blog/2022/02/15/generating-fips-compliant-pkcs12-files-with-openssl/
07-18-2022 01:53 PM - edited 07-18-2022 01:55 PM
More specifically:
Asa version: 9.16(2)14
Asdm version: 7.16(1)150
5 111008 User 'user' executed the 'crypto ca import TrustPoint1 pkcs12 123456 nointeractive' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'crypto ca import TrustPoint1 pkcs12 ndc123 nointeractive'
5 111008 User 'user' executed the 'MIIiuQIBAzCCIn8GCSqGSIb3DQEHAaCCInAEgiJsMIIiaDCCGJ8GCSqGSIb3DQEH' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'MIIiuQIBAzCCIn8GCSqGSIb3DQEHAaCCInAEgiJsMIIiaDCCGJ8GCSqGSIb3DQEH'
....many more of the same (a multitude of similar lines)
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'ToOan+6SwzUw2zAxMCEwCQYFKw4DAhoFAAQUITUg2jk4VVIPeSz1/lfgqVzi2EQE'
5 111008 User 'user' executed the 'CNNTsRIZC3fTAgIIAA==' command.
6 717006 PKCS #12 import failed for trustpoint TrustPoint1.
5 111008 User 'user' executed the 'crypto ca trustpoint TrustPoint1' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'crypto ca trustpoint TrustPoint1'
5 111008 User 'user' executed the 'revocation-check none' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'revocation-check none'
5 111008 User 'user' executed the 'id-usage ssl-ipsec' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'id-usage ssl-ipsec'
09-12-2022 06:16 AM
hello
thank you for all the information provided
Q did you see an error message similar to below on your ASAv ?
INFO: Certificate has the following attributes:
Fingerprint: 734c86d6 00e66cb2 faf598d6 17ec9db6
Do you accept this certificate? [yes/no]: yes
WARNING: CA certificates can be used to validate VPN connections,
by default. Please adjust the validation-usage of this
trustpoint to limit the validation scope, if necessary.
% Error in saving certificate: status = FAIL
NEU-ARK-ASAPVN01(config)#
07-19-2022 01:58 PM - edited 07-19-2022 02:02 PM
I took the same PFX file and it installed perfectly on another ASAv.
Works on ASA 9.16(3) Asdm 7.16(1)150
Does not work on the system I need it to: ASA 9.16(2)14 ASDM 7.16(1)150
Tried the CLI, but ran into too many different articles on the exact base64 conversion method.
Could someone let me know if I should submit this in a different area?
08-01-2022 03:38 PM
In case anyone is curious. The problem was: 1. The Asa was configured for FIPS. 2. The commands I used to create the PFX bundle were not FIPS compliant
https://davidscode.com/blog/2022/02/15/generating-fips-compliant-pkcs12-files-with-openssl/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide