Solved: Problem with certificate import on vASA

debbiebeitler · ‎07-15-2022

Attempted to install a certificate in ASDM for a vASA.

Did this the other day on another vASA with no problem

The trustpoint gets created, but the messages "PKCS #12 import failed". If I watch the logs when doing the import, I get a ton of messages of the form "running 'N/A' from IP x.x.x.x, executed (and then a line of text that looks like the ascii text from a certificate file"

and followed by "executed the "(same text) command.

Running 9.16.

The csr and the certificate pfx bundle was created using openssl. Certificate came from InCommon.

"openssl pkcs12 -inkey cert.key -in cert.cer -certfile CAcerts,crt -export -out cert.pfx"

This is the same process used back in May on another vAsa, so am wondering if I have an issue the the current one, or I'm forgetting a step somewhere along the way.

debbiebeitler · ‎08-01-2022

In case anyone is curious. The problem was: 1. The Asa was configured for FIPS. 2. The commands I used to create the PFX bundle were not FIPS compliant

https://davidscode.com/blog/2022/02/15/generating-fips-compliant-pkcs12-files-with-openssl/

View solution in original post

debbiebeitler · ‎07-18-2022

More specifically:

Asa version: 9.16(2)14
Asdm version: 7.16(1)150

5 111008 User 'user' executed the 'crypto ca import TrustPoint1 pkcs12 123456 nointeractive' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'crypto ca import TrustPoint1 pkcs12 ndc123 nointeractive'
5 111008 User 'user' executed the 'MIIiuQIBAzCCIn8GCSqGSIb3DQEHAaCCInAEgiJsMIIiaDCCGJ8GCSqGSIb3DQEH' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'MIIiuQIBAzCCIn8GCSqGSIb3DQEHAaCCInAEgiJsMIIiaDCCGJ8GCSqGSIb3DQEH'

....many more of the same (a multitude of similar lines)

5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'ToOan+6SwzUw2zAxMCEwCQYFKw4DAhoFAAQUITUg2jk4VVIPeSz1/lfgqVzi2EQE'
5 111008 User 'user' executed the 'CNNTsRIZC3fTAgIIAA==' command.
6 717006 PKCS #12 import failed for trustpoint TrustPoint1.
5 111008 User 'user' executed the 'crypto ca trustpoint TrustPoint1' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'crypto ca trustpoint TrustPoint1'
5 111008 User 'user' executed the 'revocation-check none' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'revocation-check none'
5 111008 User 'user' executed the 'id-usage ssl-ipsec' command.
5 111010 User 'user', running 'N/A' from IP 10.1.1.1, executed 'id-usage ssl-ipsec'

sbyrne · ‎09-12-2022

hello

thank you for all the information provided

Q did you see an error message similar to below on your ASAv ?

INFO: Certificate has the following attributes:
Fingerprint: 734c86d6 00e66cb2 faf598d6 17ec9db6
Do you accept this certificate? [yes/no]: yes
WARNING: CA certificates can be used to validate VPN connections,
by default. Please adjust the validation-usage of this
trustpoint to limit the validation scope, if necessary.
% Error in saving certificate: status = FAIL
NEU-ARK-ASAPVN01(config)#

debbiebeitler · ‎07-19-2022

I took the same PFX file and it installed perfectly on another ASAv.

Works on ASA 9.16(3) Asdm 7.16(1)150

Does not work on the system I need it to: ASA 9.16(2)14 ASDM 7.16(1)150

Tried the CLI, but ran into too many different articles on the exact base64 conversion method.

Could someone let me know if I should submit this in a different area?

debbiebeitler · ‎08-01-2022

In case anyone is curious. The problem was: 1. The Asa was configured for FIPS. 2. The commands I used to create the PFX bundle were not FIPS compliant

https://davidscode.com/blog/2022/02/15/generating-fips-compliant-pkcs12-files-with-openssl/