ASA 5505 CSR problem

Unanswered Question
Oct 28th, 2008
User Badges:
  • Silver, 250 points or more

hello

i'm trying to generate a csr on an ASA 5505 (ASDM 6.1(1) ASA v8.0(3)) for our new SSL VPN service. i followed the documentation at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml and submitted the csr to our 3rd party vendor Globalsign.

a few days later the request was rejected due "to the inclusion of an unstructuredName element within the subject of the CSR."


when i generate the csr (either from cli or asdm), the resultant csr contains



unstructuredName=IA5STRING:<my_fqdn>


where my_fqdn is the name i used in the CN field.


i tried generating a csr for the asa with openssl and submitted that to globalsign which was successful but get the error "Certificate does not contain general purpose public key" when i try to install it.


any ideas or pointers appreciated.

thanks

andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrewswanson Wed, 10/29/2008 - 07:46
User Badges:
  • Silver, 250 points or more

got this working - i was half way there. when the original csr (from the asa) was rejected by globalsign i generated a csr using openssl:



openSSL>req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem


when i received the cert from globalsign i combined it with my key:


openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts -passin pass: -passout pass:


then went to ASA and Configuration->Device Management->Certificate Management->Identity Certificates. selected Add and 'import identity certificate form file' - used output file from last openssl statement with password and cert imported ok

Actions

This Discussion