Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))
I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR: A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
When I try to import the certificate I receive the following error:
crypto ca import vpn.trustpoint certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
ERROR: Failed to parse or verify imported certificate
- Does any one of you have any pointers in regards to what is going wrong?
- Especially in regards to fqdn and CN, I also have a question. My config
would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
So do you have insight or pointers which might help me?
I think this is related to the private key you generate at the beginning.
Wildcard has one private key - so for all devices on which you are using it, you have to export this key. So also to the ASA. But you create a new one on the ASA -> crypto key generate rsa label vpn.company.dk modulus 2048.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...