×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA5510 renew SSL certificate (GeoTrust QuickSSL Premium) - Cannot import certificate

Answered Question
Apr 29th, 2014
User Badges:

Hi,

I am having issues installing a certificate, I get the following error message:

'Cannot import certificate - Certificate does not contain devices general purpose public key for trust point ASDM_TrustPoint4 Error: failed to parse or verify imported certificate'

 

I found this old post but it may apply to me:

https://supportforums.cisco.com/discussion/11479246/installing-certifica...

 

I tried following this instructions but it fail in step 4:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content...

 

ASA5510 version 8.3

ASDM version 6.3

 

Any advice?

 

Thank you.

 

 

 

 

Attachment: 
Correct Answer by nkarthikeyan about 3 years 3 months ago

Your CSR generation parameters should match with CA (Verisign) while generating root, intermediate and ssl certficate. If any parameter misses then it will not take.

Root and Intermediate should be applied together and then the SSL to match the trustpoint you have created.

 

Regards

Karthik

Correct Answer by Marvin Rhoads about 3 years 3 months ago

Are you sure you generated the CSR from that ASA unit?

It's not part of an HA pair by any chance - that would cause it to not recognize the certificate for import since the key would not match.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Marvin Rhoads Tue, 04/29/2014 - 11:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Are you sure you generated the CSR from that ASA unit?

It's not part of an HA pair by any chance - that would cause it to not recognize the certificate for import since the key would not match.

jake.pett Tue, 04/29/2014 - 12:21
User Badges:

Marvin,

At this point would it make more sense to generate a new CSR and submitted to GeoTrust?

The CSR was created via ASDM. I found a CSR checker in GeoTrust's website after your comment and it shows one error, I used the state abbreviation.

Thank you.

Marvin Rhoads Tue, 04/29/2014 - 12:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I'd go ahead and resubmit the CSR.

I imagine the incorrect state abbreviation could throw off the parser - it's designed to check the certificate structure very very carefully before allowing it to be imported.

jake.pett Tue, 04/29/2014 - 12:46
User Badges:

I will update you will results, hopefully it will go well after that.

Correct Answer
nkarthikeyan Wed, 04/30/2014 - 04:11
User Badges:
  • Gold, 750 points or more

Your CSR generation parameters should match with CA (Verisign) while generating root, intermediate and ssl certficate. If any parameter misses then it will not take.

Root and Intermediate should be applied together and then the SSL to match the trustpoint you have created.

 

Regards

Karthik

Actions

This Discussion