Trying to install Starfield Tech SSL certificate on my ASA 5505 8.3(1).
I believe I installed the appropriate intermediate and root certificates, but getting "failed to parse or verify imported certificate" error when trying to import the SSL
After beating my head against the wall with this a few times with this sort of thing, I found a good shortcut.
I import the certificate into a Windows machine (ensuring that the private key is marked as exportable) and verify that the certificate path is valid in the certificate manager. If I need to import certificates, I do it here until the issued certificate path is good. Once this is done, I re-export the certificate and private key into a new PKCS12 file, including the root and intermediary certificates. This produces a single file that can be imported into an ASA or IOS router and works flawlessly because everything the unit needs is present in one file.
Be sure to delete the certificate from the Windows machine when you're done exporting the certificate set.
Personally, I generate the CSR on the Windows box and process everything from there, just because it's interface is simpler. Windows also tends to have the root and the intermediary certificates installed already. Just make sure that you include the complete certificate chain when you do the export.
Sorry. I missed a piece. I didn't read that you were generating the CSR on the ASA. See my previous comment which I had edited in the hope that I would be finished by the time you read it. :)
What's the command to do that?
Let me recap what I've done
Deleted all crypto rsa keys on the asa except the default
Deleted all trustpoints except for 0
Installed IIS on my windows 7 computer
generated CSR from windows 7, had the cert rekeyed with 3rd party CA (GoDaddy)
imported intermediate cert
completed CSR in IIS
Exported cert to PFX including all certs in chain and private key
Attempted to import into ASA..no dice
I'll have to look up the commands for that when I get back to the office, but it sounds like you have it all correct.
ASA units don't like to import certificates for which they don't have a trust chain, so we're simplifying things by giving it a PKCS12 file with the entire trust chain included. This normally works flawlessly.
Will be back in touch later today.
I gave GoDaddy a call after beating my head against the wall on this too.
As it turns out, in this particular case, the issue was caused by the fact that I ordered a 3 yr SSL Cert from the CA, but their Intermediate cert only allows for 2 year.
Had to revoke the original certificate, get refunded, generate new CSR, purchase 2 year cert from CA, and all was well.
That might have taken a bit more extensive debugging than I anticipated. I'm glad you've got it covered.
Sorry for the delay getting back to you. Office was closed yesterday and I was away from Internet access. Because of this, Monday afternoon became busy with requests that needed to be covered before the end of the day.
Hey no worries at all.
I should have mentioned that GD allowed me to also downgrade the SSL to SHA-1 if you will.
However, since I thought it might just have been the number of years on the SSL i tried to use SHA-2 with no success.
So, problem was either the SHA-1 vs SHA-2 (with SHA-1 being the only "good" type to use), or both that and the # of years on the cert.
Again the ASA version was 8.3(1). Hope this helps someone else down the road.
Kind of disappointing because we were migrating to SSL VPN because IPSEC VPN client was no longer cutting mustard for PCI-DSS. I'm about 95% sure SHA-1 won't pass PCI-DSS scans either....
I suspect it was SHA2 rather than the certificate length. Full SHA2 support wasn't introduced in the ASA platform until 8.4.2. It may be time to consider a software upgrade.
SMARTnet isn't too expensive for those units. 8x5xNBD service for one year on the ASA 5505 50-user bundle, for example, can be had for around the US$100 range at various on-line shops.
If you need to find the right SMARTnet for the unit the customer has, just find the part number that the customer originally purchased and look it up on http://www.cisco-servicefinder.com to get the part number that you need to order.