Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Wildcard Identity Certificate on ASA 5510

Hi,

I have tried multiple methods to upload a new wildcard ssl certificate on our ASA witthout success.

Normally i would generate the csr from the device itself and that worked flawlessly over the years.  However, this time i was given a wildcard cert with a .pfx extension for multiple devices.  I have tried uploading the identity certificate as a pfx, and as converted to a pem. I have tried building it using the privated key, and the crt file with the intermediate using openssl etc...etc...I have tried through asdm and cli.....Debug crypto ca 255 is not of very much help neither, nor google...

My attempted steps are as follows:

1. Uploaded CA intermediate - No problem.

2. Upload pfx Identity certifcate - Fail.

3. Upload pem, pem --start cert--- only indentity certificate etc.. - Fail.

4. Upload crt identity certificate - Fail.

Error: Import PKCS12 operation failed no matter which way

I have googled it to death and everywhere I read you can use a wildcard cert generated elsewhere, but all the directions,

including:

Step by step guide to install Godaddy.com wild card certificate on Cisco ASA 5500 series boxes.

  1. Download intermediate certificate from https://certs.godaddy.com/anonymous/repository.seam.
  2. Goto https://www.sslshopper.com/ssl-converter.html and convert your .cer file into .pfx( Pkcs12 format) by inputing urdomain.cer & intermedicate.cer & private key (consider you have downloaded your private keys and certificates ie. *.urdomain.com) from gogaddy.com
  3. After you create .pfx file, In ASDM, Configuration, Device Management, Certificate Management, CA Certificates; click Add, don't change any defaults, install from file, locate the gd_intermediate.crt file. Once the intermediate cert is loaded, go to Identity Certificates (right below CA Certificates) and do something similar (Add, import from file, chose the .pfx file, and enter the password for the .pfx.

Have been a failure.

I have installed many certs from a csr on the device but never a wildcard generated elsewhere.

Is it possible on 5510 to install this type?  Do I need a rehosted cert?  What are the proper steps to attain a wildcard cert from iis or similar server?

Any new information on this subject would be greatly appreciated!

Cheers


1 REPLY
New Member

Wildcard Identity Certificate on ASA 5510

I have the same problem on a 5515-X, and I've tried pretty much the  same things. The weird thing for me is that everything worked great  until I did an OS upgrade. Back on 8.6.1, my browser successfully  verified the certificate on my SSL VPN login page, and AnyConnect never  brought up any warning boxes. But after I upgraded to 9.1.3, the box was  back to using a self-signed cert. The wildcard identity certificate  seems to have just disappeared, though the GoDaddy CA cert and my local  CA cert both stayed intact.

I've used OpenSSL to convert and verify my cert file  in a number of different ways, but all of my supposedly valid files  still get the import operation failed message. So it seems like there  was some OS change that suddenly made my wildcard incompatible, but I  haven't figured out what it is yet.

Hope this helps, for both our sakes.

3969
Views
0
Helpful
1
Replies
CreatePlease to create content