Solved: Cannot import Wildcard Cert on ASA

Dan Jay · ‎10-21-2014

Dear all,

I'm in the process of implementing a GoDaddy Wildcard (*.mydomain.mytld) cert for a number of boxes amongst which there is our ASA. I have scrapped the old certs and did some housekeeping on their trustpoints etc, resulting in a pretty much clean config. ( I'm on 8.3).

I needed to enroll for the cert from a different box (Exchange 2010) and I exported the cert into cisco-pasteable CER format to have it ready for further deployment onto the ASA. Following is what I did (with cry ca debugging on), resulting in failure to import the wildcard cert. Can someone shed some light on what I'm doing wrong ? What I did was basically setup TP's for root and intermediate and then import the actual device cert.

Setup two trustpoints for RootCA and Intermediate TP:

gate0(config)# crypto ca trustpoint gdroot
gate0(config-ca-trustpoint)# enrollment terminal
gate0(config-ca-trustpoint)# revo none
---------

gate0(config)# crypto ca trustpoint gdinter
gate0(config-ca-trustpoint)# enroll terminal
gate0(config-ca-trustpoint)# fqdn mydomain.tld

----------------

Authenticate these:

gate0(config)# cry ca authenticate gdroot
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint: [snip]
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Current Certificate list contents:
Certificate 1:
SERIAL: 00
ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US
CRYPTO_PKI: crypto_process_ra_certs(trust_point=gdroot)

gate0(config)# cry ca authenticate gdinter
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint: [snip]
Do you accept this certificate? [yes/no]: yes

Trustpoint 'gdinter' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported
gate0(config)# CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0301, subject name: serialNumber=07969287,cn=Go Daddy Secure Certification Authority,ou=http://certificates.godaddy.com/repository,o=GoDaddy.com\, Inc.,l=Scottsdale,st=Arizona,c=US, issuer name: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US .

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Current Certificate list contents:
Certificate 1:
SERIAL: 0301
ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US
Certificate 2:
SERIAL: 00
ISSUER: ou=Go Daddy Class 2 Certification Authority,o=The Go Daddy Group\, Inc.,c=US
CRYPTO_PKI: crypto_process_ra_certs(trust_point=gdinter)

Import the "device" wildcard cert:

crypto ca import gdinter cer
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: mydomain.tld

Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
quit

ERROR: Failed to parse or verify imported certificate
CRYPTO_PKI: can not set ca cert object (0x722)
CRYPTO_PKI: status = 65535: failed to get key usage from cert

Marvin Rhoads · ‎10-21-2014

You may be seeing an issue due to not having generated the CSR on the ASA (with the ASA's private key) since you're using a wildcard cert.

There's a document here that explains how to get around that.

View solution in original post

Marvin Rhoads · ‎10-21-2014

You may be seeing an issue due to not having generated the CSR on the ASA (with the ASA's private key) since you're using a wildcard cert.

There's a document here that explains how to get around that.

Dan Jay · ‎10-22-2014

Hi Marvin,

still no joy.

what I did was:

Grabbing the pfx off the source box (IIS)
Extracting the private key and certs out of the PFX using openSSL
Joining the parts into bundle.p12 using openSSL and base64-encoded it
Tried to paste it into the ASA -> ERROR: Import PKCS12 operation failed

Can you think of anything I may have done wrong ?

Dan Jay · ‎11-06-2014

Marvin,

after 8.x -> 9.x and upgrading evrything else, it works. I knew I was outdated.

Next job: Finding out why the Anyconn warns about a cert name not matching even though the webGUI comes up w/o such errors and shows the correct cert......

Marvin Rhoads · ‎11-06-2014

You tell remote access VPN to use the certificate separate from ASDM using it.

"ssl trustpoint" is the relevant line in the configuration.

Dan Jay · ‎11-07-2014

Yep, but the culprit was:

I did enter both the IP and the hostname in the .xml which in turn resulted that the ip would not authenticte while the fqdn would. I did that to make sure it works even in case of DNS issues on the client. I removed the IP and we're up and running.

Kudos & Thanks for your help, Marvin.

Dan

EDIT:

To anyone else reading this, I did exactly what marvin suggested, save that I was still on 8.x resulting in failure to import the cert which I prepared according to the process in the linked discussion. What I finally did was to upgrade to ASA 9.x latest and repeat it, resulting in the ASA nicely chewing everything up.

mb0587 · ‎09-02-2016

Hi, I had this same issue and after a lot of investigation I've made it work.

The issue is that the ASA expects to have the certificate in pkcs(.p12) format encoded with base64

you just need to take your .pfx file and encode in base64 with the following command

#openssl base64 -in xxxxx.pfx > xxxxx.base64

Then you need to open the file and add the PKCS Header and footer just copy and paste it without leaving any space.

-----BEGIN PKCS12-----
-----END PKCS12-----

The end result would be like this:

-----BEGIN PKCS12-----
yH54bCdLWTlWGhXnPC9pGpL9aXGgsmQV/odoxbEa+fZiDpLL+ZRrN2Up7onCC53l
4Qoh76ju/j9vMlRIE5bAUvMqsCl50CP//C50IuSTvBWyN1/M0RclwK4D7wtwGWfz
.................
.................
m3MylWIXt83bP45nzCqmMKc1aiOVbdQQo8M7MSUwIwYJKoZIhvcNAQkVMRYEFDLo
hsQ3m0hoYwLODqBXBpfpM7mWMDEwITAJBgUrDgMCGgUABBR1pxMEpEZwWkvnJauW
9UvnuP403wQIyRcfzvL8incCAggA
-----END PKCS12-----

Now you have your certificate ready for importing it into the ASA. Execute:

crypto ca certificate [your truspoint name you want] pkcs12 [pkcs12 password]

My example

ASA(config)# crypto ca certificate wildcard.brato.local pkcs12 1234567890
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:

-----BEGIN PKCS12-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END PKCS12-----
quit

INFO: Import PKCS12 operation completed successfully

Verify that the truspoint was created:
ASA(config)# show crypto ca trustpoints BRATO

Trustpoint BRATO:
Not authenticated.

Verify that the key was created:
ASA(config)# show crypto key mypubkey rsa | b BRATO
Key name: BRATO
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

The last step is to add the root and the intermediate certifcates to the chain. That is why you have a NOT AUTHENTICATED truspoint.
You need to encode your certificates chain with base64 again. Remember that on the certificate chain you need to form the chain in the issuing order:

CERT INTERMEDIATE
CERT ROOT1
CERT ROOT2
CERT ETC.

you will end with something like this:

-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----

Execute:

crypto ca truspoint BRATO
enrollment terminal
exit
crypto ca authenticate BRATO
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself

MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB

Certificate has the following attributes:
Fingerprint: xxxxxxx xxxxxxxx xxxxxxx xxxxx
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

ASA(config)# show crypto ca trustpoint BRATO
Trustpoint BRATO:
Subject Name:
cn=brato-DC-CA
dc=brato
dc=local
Serial Number: gglfshlkahfklsahflkhaslkf
Certificate configured.