07-28-2010 06:17 PM - edited 03-11-2019 11:17 AM
Hi,
I am having some problem to install the 3rd Party Vendor Certificate.
I can successfully installed the certificate one year ago, but recently I have to renew the certificate ( entrust) and have to reinstall it. I used the same steps as before when I first installed the certificate one year ago. (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml#step2)
The steps I have done are as follows:
1) Generate a Public Key e.g. ABCkey
asa(config)# crypto key generate rsa label ABCkey modulus 1024
INFO: The name for the keys will be: ABCkey
Keypair generation process begin. Please wait...
2) Create trust point:
asa(config)# crypto ca trustpoint ABCtrustpoint
asa(config-ca-trustpoint)# subject-name cn=www.abc.com.au,ou=IT-UC,o=ABC Limited,l=Australia,c=AU
asa(config-ca-trustpoint)# keypair entrust.key
asa(config-ca-trustpoint)# enrollment terminal
asa(config-ca-trustpoint)# exit
asa(config)# crypto ca enroll entrust
% Start certificate enrollment .
After that it has generate a CSR and I have sent it to Entrust to get a certificate
3) Install certificate:
asa(config)# crypto ca import ABCtrustpoint certificate
the error message is:
Cannot import certificate -
Certificate does not contain device's General Purpose public key
for trust point entrust
ERROR: Failed to parse or verify imported certificate
4) I have made sure the public key is there
show crypto key mypubkey rsa
Do I have to uninstall all the old certificate before I can renew my certificate? if so, how can I uninstall it via command line?
07-28-2010 06:32 PM
Try following this document instead
Otherwise, the message you are getting suggest you got a bad cert from the provider.
Try following the steps again, and request for the cert again.
I hope this helps you.
Regards,
07-28-2010 10:39 PM
Hi,
How can I do it through the command line interface?
Thanks
Kind regards,
Rachel
07-29-2010 12:07 AM
The document you followed is actually correct, though I though it may have been easier for you, and possible less mistakes if you follow the ASDM.
In any case, the error message you got suggest that the certificate you got from the provider is corrupt or incomplete.
So I suggest re-requesting the certificate from them, and try it again.
I hope that helps you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: