Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance

Hi,

basically I am trying to achieve what's documented in

http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704

(using ASDM: "crypto ca import" = Remote Access VPN -> Certificate Management ->  Code Signer -> Import)

I give it a complete PKCS12 bundle (unencrypted private key + certificates up to the root CA) to the ASA.

I can indeed verify that it has been imported correctly by exporting it again:

  crypto ca export CodeSignerBundle pkcs12 1234

It shows me the private key and all the certificates.

However, the jars used in WebVPN, while carrying the correct certificate, don't have a full certification chain at their disposal:

Using jarsigner -verify I see on a random file from the jar:

sm       905 Fri Nov 30 00:00:00 CET 1979 Java/lang/CpUtf8.class

      X.509, CN=COMMONNAME, O=ORGANIZATION, L=LOCATION, ST=STATE, C=COUNTRY

      [certificate is valid from 8/1/13 4:30 PM to 8/1/16 4:30 PM]

      X.509, CN=LuxTrust Qualified CA, O=LuxTrust S.A., C=LU

      [certificate is valid from 6/5/08 11:25 AM to 10/18/16 12:40 PM]

      [CertPath not validated: Path does not chain with any of the trust anchors]

Indeed the certificate file inside the jar (META-INF/.....RSA) does not contain what I uploaded to the ASA. One of the intermediary certificates is missing (while another certificate is listed twice).

What could be the problem here? (ASA v8.2(5))

Thanks for any help,

Marki

Everyone's tags (4)
572
Views
0
Helpful
0
Replies