cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1401
Views
5
Helpful
8
Replies

Problems with installing cert on ASA 5510

chad-young
Level 1
Level 1

Short version: I can generate a Identity Cert request for my ASA 5510, but when I try to submit to an issuing authority, I get errors and cannot seem to get a working identity cert.

Longer version:

The device in question is an ASA 5510, primarily pulling duty now as a VPN server until we can phase it in as a firewall. The ASA version is 8.0(3) and the ASDM version if 6.1(1).

Well, I did some digging around here and found this link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

and followed the steps exactly through step 2. I took the resulting certificate request file and sent it to our web master who tried both at Verisign and at GoDaddy to generate an identity cert, but every time the CA tells us that there is an error with the organization name.

Can anyone here help walk me through the steps to get a cert on this ASA? Thanks!

8 Replies 8

ggilbert
Cisco Employee
Cisco Employee

Hello Chad,

Can you please try to follow the link given below and let me know if this works out.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml

If you still get the error, can you please give me the output of the following.

a. What is the hostname on the ASA

b. output of "sh domain-name"

c. sh cry ca trustpoint.

Thanks

Gilbert

Ok, read the link and tried it. Got to step #2, but cannot complete step 3 because the issuing authority does not like the request. I suspect this line from the article tells the tale:

"Note: Some 3rd party vendors require particular attributes to be included before an identity certificate is issued. If you are unsure of the required attributes, check with your vendor for details."

Would it be easier to get the cert from Cisco or some other provider? We use GoDaddy and Verisign, but I can use just about anyone, as long as it works!

Ok, to answer your questions.

a. charon.alachuacounty.us

b. charon# sh domain-name

^

ERROR: % Invalid input detected at '^' marker. (^ is pointing to domain-name)

c. charon# sh cry ca trustpoint

Trustpoint ASDM_TrustPoint0:

Not authenticated.

Hope this helps!

Thanks for your assistance on this matter. I am relatively new to the Cisco world and have much yet to learn.

Oops, did a sh run and found:

"domain-name alachua.fl.us"

Is this perhaps the problem?

So, what is the name that the users will be accessing the ASA.

eg: ciscovpn.cisco.com

In this case, the ASA hostname would be ciscovpn. If it would be different then you would need to put in the right subject-name on the trustpoint.

Can please you send me the output for

---> sh run crypto ca trustpoint

Question: Are you installing the Root Certificate before installing the Identity certificate on the ASA?

"Question: Are you installing the Root Certificate before installing the Identity certificate on the ASA?"

In a previous attempt at getting a cert from Verisign, I had installed their Root Certificate, but, at this time, I do not have a root certificate installed. I just downloaded the 'Valicert Root Certificate' from GoDaddy. I assume I need to install this, correct?

Do I need to change domain-name to the domain the end-user sees (alachuacounty.us)?

Thanks again for your continued help!

Yes, you need to have the right domain-name the users will be accessing it as and like I said in my previous example - you need to have the right hostname as well.

Once you get the Identity certificate from the vendor, you can double-click on that certificate and under the certification path, you should see the Root CA which issued your Identity certificate.

You need to install that root certificate.

Let me know if this helps.

Thanks

Gilbert

Gilbert, thanks again for your continued assistance. I tried what you have suggested and have realized that the problem is a design issue. Our inside domain name and outside domain names are different. If I set the domain name in the ASA to match the outside name, people cannot browse the internal network by name. If I set the domain name to our inside domain name, then the cert request fails.

I guess my next step is to address our naming/design issue and revisit this later.

Thanks!

Chad,

Thanks a lot for letting me know.

Rate this post, if it helped you.

Thanks

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: