SA520W: difficulty getting self certificate request signed by trusted 3rd party

Answered Question
Feb 16th, 2010
User Badges:

Please forgive me if this is a dumb question or if I am fundamentally confused, but I have pored over the manual, forum, and web.  Very simply I need a trusted third party to sign my CSR and then for the SA520W to accept it as the active self certificate.  In principle this is straightforward but I cannot figure out how to make this work in practice.  Two examples.

1) GoDaddy:  they require a 2048 bit signature and the router only generates 1024.  I can generate my own CSR with OpenSSL but then am unable to upload my 2048 bit key to the router, and thus the signed certificate is not accepted

2)  Verisign.  They will take the router's 1024 bit signature, but they require lots of fields in the CSR, like country and state, that are not supported by the router's generate CSR function.  Thus Verisign will not accept the CSR.

Is there any way to get the router to accept a CSR signed by GoDaddy?  Or any CA?

Thanks in advance.

Andy

Correct Answer by Steven Smith about 7 years 3 months ago

Let me send this recommendation onto the development team.  I can't say when or if this will be implemented, but the feedback is always appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Steven Smith Thu, 02/25/2010 - 07:14
User Badges:
  • Gold, 750 points or more

For the certificate, you can generate it with country and state.  See the attached screen shot.


You can put this information into the subject field and it will populate that data correctly.  Let me know if you have any questions about the syntax there.

afgoldberg1 Thu, 02/25/2010 - 07:57
User Badges:

Thank you *very much*.  I missed that. But is there any way to use 2048 bits?  GoDaddy is much cheaper and apparently 2048, which they require, is the new standard that took effect on Jan 1 (see appendix A table 3 in attached doc).   If not, any chance of a firmware update?

Andy

Correct Answer
Steven Smith Thu, 02/25/2010 - 09:01
User Badges:
  • Gold, 750 points or more

Let me send this recommendation onto the development team.  I can't say when or if this will be implemented, but the feedback is always appreciated.

bencrosby Mon, 05/16/2011 - 15:38
User Badges:

Sorry to dredge up an old thread, but I've been trying to get this to work for the last three weeks also.


The firmware supports a 2048 bit key, so that's not the issue.


I entered all the information that the registrar wanted into the CN field, in the correct format.


The registrar has accepted the CSR and generated the certificate, and returned it to me.


I'm using a Geotrust quickSSL certificate.


Now, the issue is that I can't upload the certificate. If I try and load it, I get the error;


"No trusted certificate found, Can't Upload Self Certificate"


So, I'm guessing it is a chaining issue. I go to http://www.geotrust.com/resources/root-certificates/

I download the Root 1  "Download - Equifax Secure Certificate Authority (Base-64 encoded X.509) Right Click, Save As"

and then I try to add it to the SA520 as a trusted certificate...


"Added Trusted Certificate"


Now I try adding my signed certificate again, and get the error;


"No trusted certificate found, Can't Upload Self Certificate"


So we're still missing something (intermediate certificate(?)), so I try adding the next one in the list;

I download Root 2 "Download - GeoTrust Global CA (Base-64 encoded X.509) Right Click, Save As"

and try to add it to the SA520 as a trusted certificate...


"Cannot Add Trusted Certificate"


So I try the next one...

I download Root 3 "Download - GeoTrust Primary CA (.pem file) Right Click, Save As"


and then I try to add it to the SA520 as a trusted certificate...


"Added Trusted Certificate"


So, once again, I try my signed certificate and get the same error;


"No trusted certificate found, Can't Upload Self Certificate"


So I give up on the Cisco, and go to a Mac which has great keychain management.

I open my signed certificate on the mac, and see it is issued by "GeoTrust DV SSL CA"


Hang on, that's the "Root 2" certificate above that wouldn't load. I try add the Root 2 again, but I get the same error

So I contact Geotrust and get them to send me the DV SSL CA file, which I upload successfully.


Now, I have three trusted Certificates from Geotrust loaded.



Trusted Certificates (CA Certificate)
CA Identity (Subject Name)Issuer NameExpiry Time
C=US, O=GeoTrust Inc., CN=GeoTrust Global CAC=US, O=GeoTrust Inc., CN=GeoTrust Global CAMay 21 04:00:00 2022 GMT
C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CAC=US, O=GeoTrust Inc., CN=GeoTrust Global CAFeb 25 21:32:31 2020 GMT
C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification AuthorityC=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification AuthorityJul 16 23:59:59 2036 GMT

----


So I try once again to upload my signed certificate, and once again, I get:


"No trusted certificate found, Can't Upload Self Certificate"


So, the question is, WHAT is going on ? Has anyone at Cisco managed to load a GeoTrust certficate into this device, if so, step by step, HOW ?


Thanks !

juliomar Mon, 05/16/2011 - 16:54
User Badges:
  • Cisco Employee,

Hi Ben,


After uploading the intermediate certificates to the Trusted Certificates (CA Certificate) area, you need to upload your GeoTrust certificate for your SA500 to the Active Self Certificates Area.  Then your certificate will be listed there.


Here is document detailing installing a GoDaddy SSL Certificate on SA500, which should be same with your Geotrust cert.


Hope this helps.


Cheers,

Julio

bencrosby Mon, 05/16/2011 - 17:06
User Badges:

Hi Julio,


Thanks for the response.


I have explained in great detail above what I was doing. You have simply asked me to do what I was doing above.

When I try to upload the certificate to the active self certificate area, that is when I get the error "No trusted certificate found, Can't Upload Self Certificate"


What is very odd, is that the 520 WILL allow me to upload my signed certificate to the trusted certificate area, but NOT to the active self certificate area. This means that the file I am trying to upload is not invalid !


Next idea please ?

juliomar Mon, 05/16/2011 - 17:40
User Badges:
  • Cisco Employee,

Hi Ben,


Sorry that is not working for you.  What is the firmware version of your SA500?


Cheers,

Julio

juliomar Wed, 05/18/2011 - 09:02
User Badges:
  • Cisco Employee,

Hi Ben,


The last thing that I can think of is that the CSR you used to receive your Geotrust certificate must still be listed on the Certification Signing Request area on your SA500's Web Configuration Utility's Administration-- > Authentication -- > Certification Signing Request page.  If you deleted the CSR before uploading the corresponding Active Self Certificate, then you will not be able to upload your certificate for your SA500.  If that was the case you would need to start over again, generate the CSR, this time not deleting, sending out the CSR to your CA (GeoTrust) to get the certificate, and uploading the certificate to your SA500's Active Self certificates.

I hope this helps, but if there is still an issue, I recommend that you open a case with Cisco Small Business Support CenterTheir phone number is: 1-866-606-1866.

The following page contains the pertinent contact list.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html



Best regards,

Julio

bencrosby Wed, 05/18/2011 - 16:32
User Badges:

Julio,


Thanks. I reissued the certificate via Geotrust, and still no joy.


"Can't Upload Invalid Self Certificate"


So I'm trying to get hold of support as you suggest. The number is perpetually engaged. I'll just keep trying.



Thanks

Ben.

linuxuser3030 Fri, 06/22/2012 - 14:33
User Badges:

Ben-


Did you ever get this work? I too have a GeoTrust cert, but have not yet tried to upload to my SA520W.


Thanks, Jason

bencrosby Fri, 06/22/2012 - 19:50
User Badges:

Afraid not. It never worked, and tech support couldn't resolve the issue either.


I submitted screenshots, allowed remote access, did a bunch of debugging, and none of it worked.


In the end, I decided that I was spending far too much time on something that should just work, so I traded the device out for a competitive product.


Good Luck.

afgoldberg Fri, 06/22/2012 - 21:26
User Badges:

Sorry it didn't work for you Ben.  As soon as the 2048 bit firmware was released, I was able to get it working with a GoDaddy SSL cert without any problem.

bencrosby Fri, 06/22/2012 - 21:31
User Badges:

Andrew,


Thanks for the followup.


I should be very specific - the issue was entirely related to GeoTrust certs as far as I could tell. I am sure from many other reports that GoDaddy and other cert providers would have worked, but a mass move of CA would have cost more than replacing the device.


So, just to be really clear for anyone reading, it's not that the device doesn't work - just that we never managed to get GeoTrust certs to work.


Best wishes,

Ben.

onlyalex1984 Mon, 06/25/2012 - 03:16
User Badges:

Hi i would like to add my 2 cents from my Certification nightmare.


I have created an csr request 2048 bits end sent to a public CA. After i recived my cert from AlphaSSL i first uploaded Globalsign root cert and the cert from alphassl. Both are accepted by my RV220. After this i try to upload my certificate but im not avalible to, invalid certificate error.


Now i have read the admin guide and generated different request's 5 times, with differnet subject names to include city, state etc spot on from the manual. Nothing works... My ssl provider is probably wondering what im doing.....


I have already open a case at cisco, but after 2 weeks my problem is still unresolved. Im almost convinsed there is something wrong with how the device handles certificates.


So until my case is resolved i can conclude that alphassl that uses globalsign root does not work.I registerd for an free 30 day ssl test certificate from RapidSSL that did not work eighter. Also from Ben's post GeoTrust does not work eighter. So why the ***** does not the manual or something states this providers works, this provider does not or something like that. Or hey why don't cisco TEST the damn feature!!!


I have now spent 200$ on a certificate that does not work and also notice others have the same error WOW...

Can someone confirm that godaddy works and what kind of certificate you bought?


SSL Providers that does not work:

Geotrus, Globalsing, Rapidssl


Having an "working" option to the user to use and public ssl certificate is essential on a SSL VPN Firewall.

ntawork68 Wed, 12/07/2011 - 05:10
User Badges:

Hi Steven,


In my implementation, I need to establish an IPSec L2L tunnel between SA520 and ASA with PKI.


However, SA520 doesn't accept the certificate which was signed by a trusted standalone CA server (Microsoft CA on Windows Server 2003). This certificate was generated in the format of IPSec template. When I try to activate the certificate on SA520, it notifies me as: "Invalid purpose, Can't upload self-signed certificate". Could you please help me?


If the CA generates certificate in the format of WebServer template, the SA520 can import successfully, however it's not the case for IPSec template. Is it a bug?


SA520's firmware is 2.1.51.


Regards,

Tuan

Actions

This Discussion