07-21-2008 11:10 AM
Short version: I can generate a Identity Cert request for my ASA 5510, but when I try to submit to an issuing authority, I get errors and cannot seem to get a working identity cert.
Longer version:
The device in question is an ASA 5510, primarily pulling duty now as a VPN server until we can phase it in as a firewall. The ASA version is 8.0(3) and the ASDM version if 6.1(1).
Well, I did some digging around here and found this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
and followed the steps exactly through step 2. I took the resulting certificate request file and sent it to our web master who tried both at Verisign and at GoDaddy to generate an identity cert, but every time the CA tells us that there is an error with the organization name.
Can anyone here help walk me through the steps to get a cert on this ASA? Thanks!
07-22-2008 08:22 AM
Hello Chad,
Can you please try to follow the link given below and let me know if this works out.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml
If you still get the error, can you please give me the output of the following.
a. What is the hostname on the ASA
b. output of "sh domain-name"
c. sh cry ca trustpoint.
Thanks
Gilbert
07-23-2008 09:55 AM
Ok, read the link and tried it. Got to step #2, but cannot complete step 3 because the issuing authority does not like the request. I suspect this line from the article tells the tale:
"Note: Some 3rd party vendors require particular attributes to be included before an identity certificate is issued. If you are unsure of the required attributes, check with your vendor for details."
Would it be easier to get the cert from Cisco or some other provider? We use GoDaddy and Verisign, but I can use just about anyone, as long as it works!
Ok, to answer your questions.
a. charon.alachuacounty.us
b. charon# sh domain-name
^
ERROR: % Invalid input detected at '^' marker. (^ is pointing to domain-name)
c. charon# sh cry ca trustpoint
Trustpoint ASDM_TrustPoint0:
Not authenticated.
Hope this helps!
Thanks for your assistance on this matter. I am relatively new to the Cisco world and have much yet to learn.
07-23-2008 10:01 AM
Oops, did a sh run and found:
"domain-name alachua.fl.us"
Is this perhaps the problem?
07-23-2008 11:18 AM
So, what is the name that the users will be accessing the ASA.
eg: ciscovpn.cisco.com
In this case, the ASA hostname would be ciscovpn. If it would be different then you would need to put in the right subject-name on the trustpoint.
Can please you send me the output for
---> sh run crypto ca trustpoint
Question: Are you installing the Root Certificate before installing the Identity certificate on the ASA?
07-24-2008 10:26 AM
"Question: Are you installing the Root Certificate before installing the Identity certificate on the ASA?"
In a previous attempt at getting a cert from Verisign, I had installed their Root Certificate, but, at this time, I do not have a root certificate installed. I just downloaded the 'Valicert Root Certificate' from GoDaddy. I assume I need to install this, correct?
Do I need to change domain-name to the domain the end-user sees (alachuacounty.us)?
Thanks again for your continued help!
07-24-2008 10:42 AM
Yes, you need to have the right domain-name the users will be accessing it as and like I said in my previous example - you need to have the right hostname as well.
Once you get the Identity certificate from the vendor, you can double-click on that certificate and under the certification path, you should see the Root CA which issued your Identity certificate.
You need to install that root certificate.
Let me know if this helps.
Thanks
Gilbert
07-25-2008 06:18 AM
Gilbert, thanks again for your continued assistance. I tried what you have suggested and have realized that the problem is a design issue. Our inside domain name and outside domain names are different. If I set the domain name in the ASA to match the outside name, people cannot browse the internal network by name. If I set the domain name to our inside domain name, then the cert request fails.
I guess my next step is to address our naming/design issue and revisit this later.
Thanks!
07-25-2008 06:58 AM
Chad,
Thanks a lot for letting me know.
Rate this post, if it helped you.
Thanks
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: