Solved: Cisco ASA can not import certificate !!

john.ebrahim83 · ‎02-09-2014

Hi guys,

while installing identity certificate i am getting this error:

"

can not import certificate.

certificate does not contain device general purpose public key for cisco trust point ASA_IDENTITY_TRUSTPOINT

ERROR: failed to parse or verify the imported certificate

"

Attached is the snapshot of the ERROR.

i searched on forum and one solution to this was to put ' ST" in certificate DN. so i did but still same issue.

i have cisco asa 5550 with following configuration. ( and client does not want upgrade)

software version: 8.0.4

3DES-AES : disabled

please come up with some solutions, every suggession is appericiated.

Marius Gunnerud · ‎02-09-2014

Ah didn't notice that in your original post. That must be enabled. for any type of encryption to work. It is free (so I am not sure why Cisco doesn't include it when they ship the device) but you need to go to the cisco website and get the license and install it on the ASA.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-09-2014

It looks like you have not generated a RSA keypair when you generated the CSR.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

john.ebrahim83 · ‎02-09-2014

marius i did, inface i tried generating an other key pair one of size 1024 and other one is of 2048. but with both its not working. I have tried same config in asa 5520 with only difference is in my successful installation asa software version was 8.2.5 and 3DES-AES enabled.

here its not working in 5550 with software version 8.0.4 and 3DES-AES : Disabled

this is my keypair.

"

Key name: CA-identity-Key

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00e7aeb8

42526864 7ab0b380 b4fcaed8 94589efc 8a5ce346 0b8f0c97 4b4b203f c1c00f0d

dd8afd97 55bba7ac 6dde999d ec85bf0c 3aa4b61d 19033ad8 fa30b200 9c80ff73

7029747e 4d5e0fb6 e1c25754 631c8d18 d2d83362 28f976ca 2de31dd2 b6873f89

fbc41cf3 343c726b da65effa 1365c56c 8fdb89b5 dcac3088 2e124475 bb020301 0001

"

Marius Gunnerud · ‎02-09-2014

Ah didn't notice that in your original post. That must be enabled. for any type of encryption to work. It is free (so I am not sure why Cisco doesn't include it when they ship the device) but you need to go to the cisco website and get the license and install it on the ASA.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

john.ebrahim83 · ‎02-09-2014

if you are sure about it than i will try does it require down time ? I mean reboot after issuing activation-key XXXXXX ?

Marius Gunnerud · ‎02-09-2014

A reboot is required after the license installation.

As I mentioned the 3DES-AES license is used for strong encryption. When generating a keypair, RSA is used which (to my understanding) is part of the strong encryption package.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts