Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Importing Verisign Certificate on PIX7.1

Hi there,

After having importet Verisign Intermediate CA onto my PIX, I've send the CSR request to Verisign and gotten a Certificate back. Now when I try to import the returned certificate on the PIX, I get an error :

Failed to parse or verify imported certificate

Now, I've tried clearing all certs, reauthenticate the CA etc.

Any ideas?

Is it a problem that the CA is Intermediate? Can the CSR attributes contain spaces?

Pix is running latest version 7

Kind regards

Kelvin Dam

New Member

Re: Importing Verisign Certificate on PIX7.1

I have got the exact same problem, tried it on 7.2.1 and 7.2.2. Also using a Verisign certificate.

Did you find the solution already?

New Member

Re: Importing Verisign Certificate on PIX7.1

Hi koksm,

Yeah - I got it to work. I dont know how many of these steps you have done, but heres how I did it :

RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:

crypto key generate rsa

Then define the trustpoint:

crypto ca trustpoint Verisign

crl optional

enrollment terminal


Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):

crypto ca authenticate Verisign

---BEGIN--- or ---END--- lines do not matter>


INFO: Certificate has the following attributes:

Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

Generate the CSR:

crypto ca enroll Verisign

% Start certificate enrollment ..

% The subject name in the certificate will be: xxxx

% The fully-qualified domain name in the certificate will be:

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:



---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.

After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:

crypto ca import Verisign certificate

% The fully-qualified domain name in the certificate will be:

Enter the base 64 encoded certificate.

End with the word "quit" on a line by itself







INFO: Certificate successfully imported

Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:

ssl trust-point [interface]

One more thing - the verisign root cert, I did NOT get from their webpage, but I took the one that accompanies the Internet Explorer.

Hope it helps


New Member

Re: Importing Verisign Certificate on PIX7.1

I guess we did the same, except...

We did use an intermediate certificate to authenticate Verisign.

Do you happen to have the root certificate?

New Member

Re: Importing Verisign Certificate on PIX7.1

You have it yourself, in the Internet Eplorer :-)

go to Tools | Internet Options | Content | Certificates

I think its under rootcerts or intermediates...hope it helps :)

Kind regards


New Member

Re: Importing Verisign Certificate on PIX7.1

Last question, :)

Indeed, i have it, but i have twelve!

Which one did you use?

New Member

Re: Importing Verisign Certificate on PIX7.1

Hmm, not sure - but you can contact your local Verisign support (sorted by country) and they can guide you to wich cert to use.

I think I tried the first one, and was in luck


CreatePlease to create content