SSL certificates on VPN concentrators 3005

giuseppe.carta · ‎03-02-2016

Hi all,

I have a problem on import/export SSL certificates from a VPN Concentrator 3060 to a smaller VPN Concentrator 3005. After exporting on 3060 the SSL certificate for each interface, and move the CERTEXP.TXT file on the new device (the 3005), I receive a "Parse Error" and cannot import it. Where do I go wrong? The sequence is:

2 (Administration) --> 9 (Certificate Management) --> 5 (SSL Certificates) --> 1 (Private SSL Certificate) --> 4 (Export SSL Certificate)

This to generate the CERTEXP.TXT file, that is moved on the new concentrator. On the new device the sequence is:

2 (Administration) --> 9 (Certificate Management) --> 5 (SSL Certificates) --> 1 (Private SSL Certificate) --> 7 (Import SSL Certificate)

and I receive the Parse Error.

Do someone have the same situation or know a possibile solution?

Thanks in advance for every reply

Aditya Ganjoo · ‎03-02-2016

Hi,

Please let me know...
- Which format did you use for the certificate DER or BASE64 ?
- What is the image version you are running on the concentrator?
- If this is self signed certificate or any other vendors certificate that you are using for SSL ? If the certificate is from other vendor then we need to install the CA certificate first and then the SSL certificate.

Regarding the SSL certificate if it is from any CA (not the cisco self generated) then it requires two certificates to be installed on the Concentrator .
1) Root Certificate
2) SSL Certificate

First we need to install the root CA :
1) Go to Administration | Certificate Management
2) Click on Click here to install a CA certificate
3) On -- Administration | Certificate Management | Install | CA Certificate --page , click on Cut & Paste Text
4) ON -- Administration | Certificate Management | Install | CA Certificate | Cut & Paste Text >> Paste the Root Certificate received from vendor and click install
5) Go back to --- Administration | Certificate Management , You should see the Root CA installed under "Certificate Authorities "

Now need to get SSL Certificate !
1) On -- Administration | Certificate Management, Under "SSL Certificates " On the Public Interface under "ACTIONS", Click on Enroll
2) On -- Administration | Certificate Management | Enroll | SSL Certificate, Click on Enroll via PKCS10 Request (Manual)
3) Fill the required information and Keep the KEY SIZE to 512 bits, Click Enroll
4) You will get the certificate request generated in another window.
5) Copy the complete certificate including "-----BEGIN till REQUEST-----"
6) Go to the vendors site and paste the complete ssl certificate there and get the SSL certificate from that vendor.
7) GO back to "Administration | Certificate Management"
8) Under "Enrollment Status " you would see one entry which would say " SSL " under "USE" .
9) Once you get the SSL certificate from vendor , then click on the Install link under "Enrollment Status ".
10) Click on Cut and Paste and in "Administration | Certificate Management | Install | SSL Certificate | Cut & Paste Text" , paste the certificate received from vendor.
11) Select the right Interface (Public) then click Install.

Note : The Error installing SSL certificate parse error displays if the VPN concentrator does not have a root Certificate Authority (CA) certificate installed.

Regards,

Aditya

Please rate helpful posts.