Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 3005 and cert hierarchy

If I have a root CA and a CA subordinate to the root CA, is it possible to get away with not installing the root CA on the VPN 3005 concentrator if the VPN client and VPN koncentrator identity certificates are both issued by the subordinate CA?

Thanks in advanced,

Mattias Eklöf

  • Other Security Subjects
New Member

Re: VPN 3005 and cert hierarchy

I guess not, cause at the point where you want to import the signed request, the concentrator tries to validate his new cert by validating the certificate chain. Though he has the subordinate cert, he expects the root-ca so he can terminate the certificate chain.

You`ll get something about invalid chain error.

What´s the point not installing the root-ca cert !?

I would like the concentrator to be able to accept p7b cert-chain files, but he still imports only the first cert he finds in the p7b.

New Member

Re: VPN 3005 and cert hierarchy

The problem is I can't install the root CA certificate on the concentrator. I'm not sure as of why, but I think it's because it is of type x509v1.

New Member

Re: VPN 3005 and cert hierarchy

I`m not really sure, but think you`re right. Afaik the concentrator needs x509v3 to operate correctly.

This widget could not be displayed.