07-18-2006 04:32 AM - edited 03-09-2019 03:37 PM
Hi there,
After having importet Verisign Intermediate CA onto my PIX, I've send the CSR request to Verisign and gotten a Certificate back. Now when I try to import the returned certificate on the PIX, I get an error :
Failed to parse or verify imported certificate
Now, I've tried clearing all certs, reauthenticate the CA etc.
Any ideas?
Is it a problem that the CA is Intermediate? Can the CSR attributes contain spaces?
Pix is running latest version 7
Kind regards
Kelvin Dam
11-27-2006 01:26 AM
I have got the exact same problem, tried it on 7.2.1 and 7.2.2. Also using a Verisign certificate.
Did you find the solution already?
11-27-2006 01:41 AM
Hi koksm,
Yeah - I got it to work. I dont know how many of these steps you have done, but heres how I did it :
RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:
crypto key generate rsa
Then define the trustpoint:
crypto ca trustpoint Verisign
crl optional
enrollment terminal
subject-name CN=host.domain.com,OU=Unit,O=Organisation,C=NL,St=xxx,L=xxx,EA=postmaster@domain.com
Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):
crypto ca authenticate Verisign
---BEGIN--- or ---END--- lines do not matter>
quit
INFO: Certificate has the following attributes:
Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Generate the CSR:
crypto ca enroll Verisign
% Start certificate enrollment ..
% The subject name in the certificate will be: xxxx
% The fully-qualified domain name in the certificate will be: hostname.domain.com
% Include the device serial number in the subject name? [yes/no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIICNjCCAZ8CAQAwgbwxJTAjBgkqhkiG9w0BCQEWFnNlcnZpY2VkZXNrQGR5bm9t
aWMubmwxEjAQBgNVBAcTCUJpbHRob3ZlbjEQMA4GA1UECBMHVXRyZWNodDELMAkG
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.
After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:
crypto ca import Verisign certificate
% The fully-qualified domain name in the certificate will be: xxx.domain.com
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDcTCCAtqgAwIBAgIQIHOwJ7acK6Fmibyhf67HlDANBgkqhkiG9w0BAQUFADC
MXN/DqZw504SdlIkm3K4Dt7kSa5NILlncBiPhJJPJRjcOk6wRB6vuGG85uz6twR
nq4BqbMitzpgxvK12hgS9ZDy62kC
-----END CERTIFICATE-----
quit
INFO: Certificate successfully imported
Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:
ssl trust-point thawte.com [interface]
One more thing - the verisign root cert, I did NOT get from their webpage, but I took the one that accompanies the Internet Explorer.
Hope it helps
Kdam
11-27-2006 02:57 AM
I guess we did the same, except...
We did use an intermediate certificate to authenticate Verisign.
Do you happen to have the root certificate?
11-27-2006 03:45 AM
You have it yourself, in the Internet Eplorer :-)
go to Tools | Internet Options | Content | Certificates
I think its under rootcerts or intermediates...hope it helps :)
Kind regards
Kelvin
11-28-2006 03:17 AM
Last question, :)
Indeed, i have it, but i have twelve!
Which one did you use?
11-28-2006 08:11 AM
Hmm, not sure - but you can contact your local Verisign support (sorted by country) and they can guide you to wich cert to use.
I think I tried the first one, and was in luck
/Kdam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide