Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SA520 Wildcard SSL Certificate?

I have a wildcard SSL certificate for our domain from RapidSSL.  I installed the intermediary certificates fine but I can't get the acutal cert to install.  I get the message "Can't Upload Invalid Self Certificate" message.  Has anyone else ever successfully used a wildcard cert with an SA?

Everyone's tags (1)
5 REPLIES
New Member

SA520 Wildcard SSL Certificate?

Hi Steven

I also had a big problem with a regular ssl certificate from rapidssl. I opend a case with cisco and after 3 weeks of the most horrible support i have ever experienced i gave up. I bought a new certificate from godaddy and that workd right away.

I pointed out to my cisco tech that there is most likely a bugg in the fw since i tried 3 different providers, geotrust, globalsign and rapidssl all of them did not work. I bet they did not even try to solve my case.

Here is a link to another post about this issue.

https://supportforums.cisco.com/message/3667478#3667478

SA520 Wildcard SSL Certificate?

Doesn't godaddy only offer 2048bit+ certificates? Our SA540 won't accept those certificates and we were told by CISCO that it only supports upto 1024bits.

SA520 Wildcard SSL Certificate?

Hello Mr. Williamson,

In order to get a new SSL certificate please follow the next instructions:

STEP 1 : Click Administration > Authentication.

The Authentication (Certificates) window opens.

STEP 2 For each type of certificate, perform the following actions, as needed:

• To add a certificate, click Upload. You can upload the certificate from the PC

or the USB device. Click Browse, find and select the certificate, and then

click Upload.

• To delete a certificate, check the box to select the certificate, and then click

Delete.

• To download the router’s certificate (.pem file), click the Download button

under the Download Settings area.

STEP 3 To request a certificate from the CA, click Generate CSR.

The Generate Certification Signing Request window opens.

a. Enter the distinguished name information in the Generate Self Certificate

Request fields.

• Name: Unique name used to identify a certificate.

• Subject: Name of the certificate holder (owner). The subject field populates

the CN (Common Name) entry of the generated certificate and can contain

these fields:

- CN=Common Name

- O=Organization

- OU=Organizational unit

- L= Locality

- ST= State

- C=Country

For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US

Whatever name you choose will appear in the subject line of the generated

CSR. To include more than one subject field, enter each subject separated

by a comma. For example: CN=hostname.domain.com, ST=CA, C=USA

• Hash Algorithm: Algorithm used by the certificate. Choose between MD5

and SHA-1

• Signature Algorithm: Algorithm (RSA) used to sign the certificate.

• Signature Key Length: Length of the signature, either 512 or 1024.

• (Optional) IP Address, Domain Name, and Email Address

b. Click Generate.

A new certificate request is created and added to the Certification Signing

Request (CSR) table. To view the request, click the View button next to the

certificate you just created.

Or you could check it on the next link. please check page 191

http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf

hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Thank you

New Member

SA520 Wildcard SSL Certificate?

There are two problem here.

1) There is a bug in your firmware that prevent the upload of some certificates from public ca's. You can read about it in my previous post and link. However it seems cisco has fixed it in the new fw for the rw220, i have seen it was adressed in the release notes but i have not tried it since i already got myself an working ssl cert from godaddy. Most likely your firmware has not the included fixes.

2) Your firmware can't handle more than 1024 bits encryption. Since NON of the major CA will sign anything lower than 2048 bits you will have litle to any luck to get your csr request signed. The 1024bits is consider weak and therefor since the start of 2012 all big CA's will only supply 2048 bits signing.

So basicly even if you managed to find a CA that "could" work with the bug in the fw from #1 you will most likely never get an 1024 bits encryption since it's not supported any more. Sorry to say it but basicly you are screwed until cisco managed to fix the firmware to include the bug fix and support of 2048 bits encryption.

If you need an public ssl certificate i would change my firewall straight away unless cisco staff can give you an e.t.a on a working firmware. The change to 2048bits was made around January. Now one would think that cisco would provide the 2048bits support Before all major CA's stoped the 1024bits signig. I bet most off the support staff don't even know this. It's easy to point one to a Faq or support doc but without even knowing that it wont work in your case. Most likely they have not even tried doing a public ca request, since then they would know this.

SA520 Wildcard SSL Certificate?

I agree. This device has been a disaster since the first day. Had to jump through hoops to get it working and now it won't accept a secure SSL certificate.

1347
Views
0
Helpful
5
Replies
CreatePlease to create content