Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Failed to parse or verify imported certifiate - ASA 5505 8.3(1)

Trying to install Starfield Tech SSL certificate on my ASA 5505 8.3(1).

 

I believe I installed the appropriate intermediate and root certificates, but getting "failed to parse or verify imported certificate" error when trying to import the SSL

17 REPLIES

After beating my head against

After beating my head against the wall with this a few times with this sort of thing, I found a good shortcut.

I import the certificate into a Windows machine (ensuring that the private key is marked as exportable) and verify that the certificate path is valid in the certificate manager. If I need to import certificates, I do it here until the issued certificate path is good. Once this is done, I re-export the certificate and private key into a new PKCS12 file, including the root and intermediary certificates. This produces a single file that can be imported into an ASA or IOS router and works flawlessly because everything the unit needs is present in one file.

Be sure to delete the certificate from the Windows machine when you're done exporting the certificate set.

New Member

So generate the CSR on the

So generate the CSR on the ASA itself...

 

get the two certs from Godaddy (my CA)

 

Import them into the computer, then export to PKCS12?

Yes, although most of the

Personally, I generate the CSR on the Windows box and process everything from there, just because it's interface is simpler. Windows also tends to have the root and the intermediary certificates installed already. Just make sure that you include the complete certificate chain when you do the export.

New Member

Exporting as PKCS12 is greyed

Exporting as PKCS12 is greyed out for some reason....

Sorry. I missed a piece. I

Sorry. I missed a piece. I didn't read that you were generating the CSR on the ASA. See my previous comment which I had edited in the hope that I would be finished by the time you read it. :)

New Member

still getting an error, but

still getting an error, but now a new one.

"Error Import PKCS12 operation failed"

Can you turn up the debugging

Can you turn up the debugging on the certificate import and let me know what it's complaining about?

New Member

What's the command to do that

What's the command to do that?

Let me recap what I've done

 

Deleted all crypto rsa keys on the asa except the default

Deleted all trustpoints except for 0

Installed IIS on my windows 7 computer

generated CSR from windows 7, had the cert rekeyed with 3rd party CA (GoDaddy)

Downloaded zip

imported intermediate cert

completed CSR in IIS

Exported cert to PFX including all certs in chain and private key

Attempted to import into ASA..no dice

I'll have to look up the

I'll have to look up the commands for that when I get back to the office, but it sounds like you have it all correct.

ASA units don't like to import certificates for which they don't have a trust chain, so we're simplifying things by giving it a PKCS12 file with the entire trust chain included. This normally works flawlessly.

Will be back in touch later today.

New Member

I sincerely appreciate your

I sincerely appreciate your assistance Jody

New Member

Jody, Did you get a chance to

Jody,

 

Did you get a chance to look into this further?

 

thanks,

 

Paul

New Member

I gave GoDaddy a call after

I gave GoDaddy a call after beating my head against the wall on this too.

 

As it turns out, in this particular case, the issue was caused by the fact that I ordered a 3 yr SSL Cert from the CA, but their Intermediate cert only allows for 2 year.

 

Had to revoke the original certificate, get refunded, generate new CSR, purchase 2 year cert from CA, and all was well.

That might have taken a bit

That might have taken a bit more extensive debugging than I anticipated. I'm glad you've got it covered.

Sorry for the delay getting back to you. Office was closed yesterday and I was away from Internet access. Because of this, Monday afternoon became busy with requests that needed to be covered before the end of the day.

New Member

Hey no worries at all. I

Hey no worries at all.

 

I should have mentioned that GD allowed me to also downgrade the SSL to SHA-1 if you will. 

 

However, since I thought it might just have been the number of years on the SSL i tried to use SHA-2 with no success.

 

So, problem was either the SHA-1 vs SHA-2 (with SHA-1 being the only "good" type to use), or both that and the # of years on the cert.

 

Again the ASA version was 8.3(1). Hope this helps someone else down the road.

 

Kind of disappointing because we were migrating to SSL VPN because IPSEC VPN client was no longer cutting mustard for PCI-DSS. I'm about 95% sure SHA-1 won't pass PCI-DSS scans either....

I suspect it was SHA2 rather

I suspect it was SHA2 rather than the certificate length. Full SHA2 support wasn't introduced in the ASA platform until 8.4.2. It may be time to consider a software upgrade.

New Member

Agreed....trying to convince

Agreed....trying to convince client of that as well and working on getting price for smartnet

SMARTnet isn't too expensive

SMARTnet isn't too expensive for those units. 8x5xNBD service for one year on the ASA 5505 50-user bundle, for example, can be had for around the US$100 range at various on-line shops.

If you need to find the right SMARTnet for the unit the customer has, just find the part number that the customer originally purchased and look it up on http://www.cisco-servicefinder.com to get the part number that you need to order.

1095
Views
0
Helpful
17
Replies