Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1132
Views
0
Helpful
4
Replies

RV340 SSL Certificate Import Failure

Go to solution
dst_u
Level 1
Level 1

‎05-19-2021 07:58 PM - edited ‎05-19-2021 09:22 PM

Hello,

 

I created a Comodo SSL certificate CSR for my site (residing behind my RV340) using my server and received the crt and ca-bundle files from the CA.

 

When trying to import the crt that I received into the RV340, it keeps failing, whether I choose "CA Certificate" or "Local Certificate" as Type in the following screen:

 

import cert.JPG

 

 

 

 

 

 

 

 

 

 

 

 

 

Then, if I try to import the ca-bundle, it accepts it, but I can't use it in the VPN, as it returns an error in the AnyConnect.

 

Lastly, I joined the CRT and the CA-bundle into a single pem file and tried to import it, but that also failed.

 

What am I doing wrong here?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nagrajk1969
Spotlight
Spotlight

‎05-27-2021 10:46 AM - edited ‎05-27-2021 10:48 AM

Hi

 

The below is the info you should note and the suggested steps you should apply to make it all work as per your requirements

 

>>>I created a Comodo SSL certificate CSR for my site (residing behind my RV340) using my server and received the crt and ca-bundle >>>files from the CA.

Here you should note this for now and future reference (with respect to certificates in general)

1. When you create a CSR for getting it signed by the CA for use as a server-ssl certificate, a RSA private-key-file (say for example named as server-key.pem or server-key.crt) will also be created in the same box/server where you have created the CSR

2. So now after you got the CSR signed by the Commodo-CA (which is named as Sectigo now i guess), you have recieved a signed crt-file (lets call it for example "server-cert.crt"), and also the "CA-Bundle"

 

>>>When trying to import the crt that I received into the RV340, it keeps failing, whether I choose "CA Certificate" or "Local Certificate" >>>as Type in the following screen:

3. You can't just import a crt (the server-cert.crt), its of no use without its private-key also being imported at the same time.

Note:

- You may say that i can do the import into a windows-host. and i will say windows is stupid, if its allowed ONLY the crt file without its private-key....but then its left to you to explore some more on How/What/Why and Usage of x509-Digital-Certificates. 

- So for now and for sometime atleast please give me the benefit of doubt and accept my statements as factually correct, and continue applying my suggestions.

- So i say it again, importing just the CA-signed server-cert.crt file into a host/router/gateway is NOT OF ANY USE WITHOUT ALSO IMPORTING ITS CORRESPONDING PRIVATE-KEY. You cannot make use of a signed Certificate for any purpose without having its private-key

 

4. So in RV340,

a) it allows ONLY a CA-Certificate (or a CA-Bundle) to be imported as a single/standalone Pem-file.

b) for importing any signed digital certificate, it needs to also be accompanied with its corresponding private-key. This is as per standards. You will need to import it using PKCS#12 files also called p12 files

c) PKCS#12 files are used to group together the signed server-cert.crt PLUS server-key.crt AND PLUS-OPTIONALLY A CA-CERT

Note: i mentioned that in a pkcs12 file the CA-cert is optional...it need not be included in every p12 file. Also the CA-cert in a p12 file is usually always a signle CA-cert file..not a CA-bundle. The ca-bundle is always provided separately

 

5. So how to import your server-cert.crt into RV340?

- i suggest that you do the below steps on a Linux-host which has openssl commands available

Step-1: from the server behind the RV340, where you has created the CSR, copy/export the "server-key.crt or server-key.pem" file and save into a folder on the linux-host

Step-2. Also copy the signed server-cert.crt file to the same folder on the linux-host

 

Step-3: Now apply the below command in the same folder on linux host (where the cert-files are saved) to create a p12/pkcs12 file

  

openssl pkcs12 -export -descert -password pass:user1234 -nodes -inkey server-key.crt -in server-cert.crt -out servercert.p12

 

Step-4: Now copy this p12 file "servercert.p12" to the host where you will access the RV340-GUI

 

Step-5: On RV340 in certs page, select import of pkcs12 file...give a name (such as "servercert"), select  the servercert.p12 file from the pc, and provide the passwd user1234 you had set to the p12 file while exporting.

 

So the import of the server-cert plus its private key file into RV340 should work

 

6. Now comes the next step of importing the CA-Bundle....in to RV340

Note: DO NOT combine both the server-cert and the ca-bundle into one file and try to import....

Step-1: Import the CA-Bundle.crt you recieved from commodo as a CA-file from PC... it should work

 

7. Here iam not sure if the import of the CA-Bundle.crt into RV340 will work...there are multiple reasons, which i can tell you if it will work only by looking at the CA-bundle file.

Since the CA-Bundle is a publically available and publically published for download by ALL CAs including commodo, i would like to request you to please attach ONLY THE CA-BUNDLE you have received from commodo...

 

NOTE: DO NOT AND NEVER ATTACH YOUR SIGNED SERVER-CERT.CRT AND THE PRIVATE KEY FILE....BOTH SHOULD BE PROTECTED BY YOU....ALTHOUGH YOU MAY STILL CAN SEND YOUR SERVER-CERT.CRT ONLY TO ANYONE WITHOUT ANY SECURITY CONCERNS.

 

7. But first try importing the CA-bundle.crt and run a check with the AnyConnect VPN connection...if it works, then you dont need to attach/send your CA-bundle file...its working 

a) But if your import of ca-bundle fails. send me the file..i will be able to tell you exactly why its failing

b) But if your import of ca-bundle works and still you are not able to establish the AnyConnect SSL tunnels/connections, then again please send/attach the CA-bundle file...i will be able to tell you whats happening looking at it...

 

best regards

 

 

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
nagrajk1969
Spotlight
Spotlight

‎05-24-2021 05:09 PM

Hi

Iam confused, if the certificate is for the server behind RV340, why are you importing into Rv340????

 

 

 

 

 

0 Helpful

Go to solution
dst_u
Level 1
Level 1
In response to nagrajk1969

‎05-24-2021 06:47 PM

In order to connect with AnyConnect by SSL VPN. Since it's an IP that already has an "official certificate", might as well use it for that too.

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎05-27-2021 10:46 AM - edited ‎05-27-2021 10:48 AM

Hi

 

The below is the info you should note and the suggested steps you should apply to make it all work as per your requirements

 

>>>I created a Comodo SSL certificate CSR for my site (residing behind my RV340) using my server and received the crt and ca-bundle >>>files from the CA.

Here you should note this for now and future reference (with respect to certificates in general)

1. When you create a CSR for getting it signed by the CA for use as a server-ssl certificate, a RSA private-key-file (say for example named as server-key.pem or server-key.crt) will also be created in the same box/server where you have created the CSR

2. So now after you got the CSR signed by the Commodo-CA (which is named as Sectigo now i guess), you have recieved a signed crt-file (lets call it for example "server-cert.crt"), and also the "CA-Bundle"

 

>>>When trying to import the crt that I received into the RV340, it keeps failing, whether I choose "CA Certificate" or "Local Certificate" >>>as Type in the following screen:

3. You can't just import a crt (the server-cert.crt), its of no use without its private-key also being imported at the same time.

Note:

- You may say that i can do the import into a windows-host. and i will say windows is stupid, if its allowed ONLY the crt file without its private-key....but then its left to you to explore some more on How/What/Why and Usage of x509-Digital-Certificates. 

- So for now and for sometime atleast please give me the benefit of doubt and accept my statements as factually correct, and continue applying my suggestions.

- So i say it again, importing just the CA-signed server-cert.crt file into a host/router/gateway is NOT OF ANY USE WITHOUT ALSO IMPORTING ITS CORRESPONDING PRIVATE-KEY. You cannot make use of a signed Certificate for any purpose without having its private-key

 

4. So in RV340,

a) it allows ONLY a CA-Certificate (or a CA-Bundle) to be imported as a single/standalone Pem-file.

b) for importing any signed digital certificate, it needs to also be accompanied with its corresponding private-key. This is as per standards. You will need to import it using PKCS#12 files also called p12 files

c) PKCS#12 files are used to group together the signed server-cert.crt PLUS server-key.crt AND PLUS-OPTIONALLY A CA-CERT

Note: i mentioned that in a pkcs12 file the CA-cert is optional...it need not be included in every p12 file. Also the CA-cert in a p12 file is usually always a signle CA-cert file..not a CA-bundle. The ca-bundle is always provided separately

 

5. So how to import your server-cert.crt into RV340?

- i suggest that you do the below steps on a Linux-host which has openssl commands available

Step-1: from the server behind the RV340, where you has created the CSR, copy/export the "server-key.crt or server-key.pem" file and save into a folder on the linux-host

Step-2. Also copy the signed server-cert.crt file to the same folder on the linux-host

 

Step-3: Now apply the below command in the same folder on linux host (where the cert-files are saved) to create a p12/pkcs12 file

  

openssl pkcs12 -export -descert -password pass:user1234 -nodes -inkey server-key.crt -in server-cert.crt -out servercert.p12

 

Step-4: Now copy this p12 file "servercert.p12" to the host where you will access the RV340-GUI

 

Step-5: On RV340 in certs page, select import of pkcs12 file...give a name (such as "servercert"), select  the servercert.p12 file from the pc, and provide the passwd user1234 you had set to the p12 file while exporting.

 

So the import of the server-cert plus its private key file into RV340 should work

 

6. Now comes the next step of importing the CA-Bundle....in to RV340

Note: DO NOT combine both the server-cert and the ca-bundle into one file and try to import....

Step-1: Import the CA-Bundle.crt you recieved from commodo as a CA-file from PC... it should work

 

7. Here iam not sure if the import of the CA-Bundle.crt into RV340 will work...there are multiple reasons, which i can tell you if it will work only by looking at the CA-bundle file.

Since the CA-Bundle is a publically available and publically published for download by ALL CAs including commodo, i would like to request you to please attach ONLY THE CA-BUNDLE you have received from commodo...

 

NOTE: DO NOT AND NEVER ATTACH YOUR SIGNED SERVER-CERT.CRT AND THE PRIVATE KEY FILE....BOTH SHOULD BE PROTECTED BY YOU....ALTHOUGH YOU MAY STILL CAN SEND YOUR SERVER-CERT.CRT ONLY TO ANYONE WITHOUT ANY SECURITY CONCERNS.

 

7. But first try importing the CA-bundle.crt and run a check with the AnyConnect VPN connection...if it works, then you dont need to attach/send your CA-bundle file...its working 

a) But if your import of ca-bundle fails. send me the file..i will be able to tell you exactly why its failing

b) But if your import of ca-bundle works and still you are not able to establish the AnyConnect SSL tunnels/connections, then again please send/attach the CA-bundle file...i will be able to tell you whats happening looking at it...

 

best regards

 

 

 

 

0 Helpful

Go to solution
dst_u
Level 1
Level 1
In response to nagrajk1969

‎05-28-2021 02:54 AM

Hi nagrajk

 

Thank you for the detailed explanation and instructions. I managed to import the certificate after combining it with the key using the p12 procedure.

 

One thing that is strange is on the client side on my 2 android devices. The certificate wasn't accepted until I imported it to the app, even though I also imported the ca-bundle (but it's not used in the VPN):

Screenshot_20210528-174054_AnyConnect.jpgScreenshot_20210528-174104_AnyConnect.jpg

0 Helpful
Customers Also Viewed These Support Documents