cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2181
Views
0
Helpful
3
Replies

ASA 8.0(4) Manually Install 3rd Party Vendor Certificates Problem

rachelau_2005
Level 1
Level 1

Hi,

I am having some problem to install the 3rd Party Vendor Certificate.

I can successfully installed the certificate one year ago, but recently I have to renew the certificate ( entrust) and have to reinstall it.  I used the same steps as before when I first installed the certificate one year ago. (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml#step2)

The steps I have done are as follows:

1) Generate a Public Key e.g. ABCkey

asa(config)# crypto key generate rsa label ABCkey modulus 1024
INFO: The name for the keys will be: ABCkey

Keypair generation process begin. Please wait...

2) Create trust point:

asa(config)# crypto ca trustpoint ABCtrustpoint

asa(config-ca-trustpoint)# subject-name cn=www.abc.com.au,ou=IT-UC,o=ABC Limited,l=Australia,c=AU
asa(config-ca-trustpoint)# keypair entrust.key
asa(config-ca-trustpoint)# enrollment terminal
asa(config-ca-trustpoint)# exit
asa(config)# crypto ca enroll entrust
% Start certificate enrollment .

After that it has generate a CSR and I have sent it to Entrust to get a certificate

3) Install certificate:

asa(config)# crypto ca import ABCtrustpoint certificate

the error message is:

Cannot import certificate -
   Certificate does not contain device's General Purpose public key
   for trust point entrust
ERROR: Failed to parse or verify imported certificate

4)  I have made sure the public key is there

show crypto key mypubkey rsa

Do I have to uninstall all the old certificate before I can renew my certificate?  if so, how can I uninstall it via command line?

3 Replies 3

edadios
Cisco Employee
Cisco Employee

Try following this document instead

http://tinyurl.com/29teodn

Otherwise, the message you are getting suggest you got a bad cert from the provider.

Try following the steps again, and request for the cert again.

I hope this helps you.

Regards,

Hi,

How can I do it through the command line interface?


Thanks

Kind regards,

Rachel

The document you followed is actually correct, though I though it may have been easier for you, and possible less mistakes if you follow the ASDM.

In any case, the error message you got suggest that the certificate you got from the provider is corrupt or incomplete.

So I suggest re-requesting the certificate from them, and try it again.

I hope that helps you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: