Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
999
Views
0
Helpful
5
Replies

ASA5510 renew SSL certificate (GeoTrust QuickSSL Premium) - Cannot import certificate

Go to solution
jake.pett
Level 1
Level 1

‎04-29-2014 10:11 AM - edited ‎03-12-2019 06:06 PM

Hi,

I am having issues installing a certificate, I get the following error message:

'Cannot import certificate - Certificate does not contain devices general purpose public key for trust point ASDM_TrustPoint4 Error: failed to parse or verify imported certificate'

 

I found this old post but it may apply to me:

https://supportforums.cisco.com/discussion/11479246/installing-certificate-ssl-vpn-asa-5510

 

I tried following this instructions but it fail in step 4:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO16142&actp=search&viewlocale=en_US&searchid=1398781506734

 

ASA5510 version 8.3

ASDM version 6.3

 

Any advice?

 

Thank you.

 

 

 

 

Labels:
Preview file
84 KB
Preview file
66 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-29-2014 11:14 AM

Are you sure you generated the CSR from that ASA unit?

It's not part of an HA pair by any chance - that would cause it to not recognize the certificate for import since the key would not match.

View solution in original post

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to jake.pett

‎04-30-2014 04:11 AM

Your CSR generation parameters should match with CA (Verisign) while generating root, intermediate and ssl certficate. If any parameter misses then it will not take.

Root and Intermediate should be applied together and then the SSL to match the trustpoint you have created.

 

Regards

Karthik

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-29-2014 11:14 AM

Are you sure you generated the CSR from that ASA unit?

It's not part of an HA pair by any chance - that would cause it to not recognize the certificate for import since the key would not match.

0 Helpful

Go to solution
jake.pett
Level 1
Level 1
In response to Marvin Rhoads

‎04-29-2014 12:21 PM

Marvin,

At this point would it make more sense to generate a new CSR and submitted to GeoTrust?

The CSR was created via ASDM. I found a CSR checker in GeoTrust's website after your comment and it shows one error, I used the state abbreviation.

Thank you.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jake.pett

‎04-29-2014 12:26 PM

I'd go ahead and resubmit the CSR.

I imagine the incorrect state abbreviation could throw off the parser - it's designed to check the certificate structure very very carefully before allowing it to be imported.

0 Helpful

Go to solution
jake.pett
Level 1
Level 1
In response to Marvin Rhoads

‎04-29-2014 12:46 PM

I will update you will results, hopefully it will go well after that.

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to jake.pett

‎04-30-2014 04:11 AM

Your CSR generation parameters should match with CA (Verisign) while generating root, intermediate and ssl certficate. If any parameter misses then it will not take.

Root and Intermediate should be applied together and then the SSL to match the trustpoint you have created.

 

Regards

Karthik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card