Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Importing Verisign Certificate on PIX7.1

Hi there,

After having importet Verisign Intermediate CA onto my PIX, I've send the CSR request to Verisign and gotten a Certificate back. Now when I try to import the returned certificate on the PIX, I get an error :

Failed to parse or verify imported certificate

Now, I've tried clearing all certs, reauthenticate the CA etc.

Any ideas?

Is it a problem that the CA is Intermediate? Can the CSR attributes contain spaces?

Pix is running latest version 7

Kind regards

Kelvin Dam

6 REPLIES
New Member

Re: Importing Verisign Certificate on PIX7.1

I have got the exact same problem, tried it on 7.2.1 and 7.2.2. Also using a Verisign certificate.

Did you find the solution already?

New Member

Re: Importing Verisign Certificate on PIX7.1

Hi koksm,

Yeah - I got it to work. I dont know how many of these steps you have done, but heres how I did it :

RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:

crypto key generate rsa

Then define the trustpoint:

crypto ca trustpoint Verisign

crl optional

enrollment terminal

subject-name CN=host.domain.com,OU=Unit,O=Organisation,C=NL,St=xxx,L=xxx,EA=postmaster@domain.com

Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):

crypto ca authenticate Verisign

---BEGIN--- or ---END--- lines do not matter>

quit

INFO: Certificate has the following attributes:

Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

Generate the CSR:

crypto ca enroll Verisign

% Start certificate enrollment ..

% The subject name in the certificate will be: xxxx

% The fully-qualified domain name in the certificate will be: hostname.domain.com

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

MIICNjCCAZ8CAQAwgbwxJTAjBgkqhkiG9w0BCQEWFnNlcnZpY2VkZXNrQGR5bm9t

aWMubmwxEjAQBgNVBAcTCUJpbHRob3ZlbjEQMA4GA1UECBMHVXRyZWNodDELMAkG

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.

After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:

crypto ca import Verisign certificate

% The fully-qualified domain name in the certificate will be: xxx.domain.com

Enter the base 64 encoded certificate.

End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIIDcTCCAtqgAwIBAgIQIHOwJ7acK6Fmibyhf67HlDANBgkqhkiG9w0BAQUFADC

MXN/DqZw504SdlIkm3K4Dt7kSa5NILlncBiPhJJPJRjcOk6wRB6vuGG85uz6twR

nq4BqbMitzpgxvK12hgS9ZDy62kC

-----END CERTIFICATE-----

quit

INFO: Certificate successfully imported

Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:

ssl trust-point thawte.com [interface]

One more thing - the verisign root cert, I did NOT get from their webpage, but I took the one that accompanies the Internet Explorer.

Hope it helps

Kdam

New Member

Re: Importing Verisign Certificate on PIX7.1

I guess we did the same, except...

We did use an intermediate certificate to authenticate Verisign.

Do you happen to have the root certificate?

New Member

Re: Importing Verisign Certificate on PIX7.1

You have it yourself, in the Internet Eplorer :-)

go to Tools | Internet Options | Content | Certificates

I think its under rootcerts or intermediates...hope it helps :)

Kind regards

Kelvin

New Member

Re: Importing Verisign Certificate on PIX7.1

Last question, :)

Indeed, i have it, but i have twelve!

Which one did you use?

New Member

Re: Importing Verisign Certificate on PIX7.1

Hmm, not sure - but you can contact your local Verisign support (sorted by country) and they can guide you to wich cert to use.

I think I tried the first one, and was in luck

/Kdam

152
Views
0
Helpful
6
Replies
CreatePlease to create content