0 Replies Latest reply: Jul 5, 2011 1:06 AM by Dani Petrov RSS

    Installing wildcard certificate - error

    Dani Petrov

      Hello guys, long time no see.

       

      I'm not quite sure do I post within the right thread so please correct me if I'm wrong.

       

      Anyway, the problem is as subject says - Problem with installation of wildcard certificate on Cisco ASA 5520 (VPN Plus license). Software version is  8.2(2).

      I noticed two issues. We've bought a wildcard certificate for our domains example.com, example.org. Certificate provider is Geo Trust.

       

      The first problem is that I'm unable to install the complete certificate chain. If I install the Root CA of GeoTrust, I'm unable to install the sub-ordinate CA, which has actually signed my cert, within the same trustpoint. The warning message says that "WARNING: Trustpoint GeoTrustRA is already authenticated." (this happens when I try to install the sub-ordinate CA, which stays in between RA and my certificate, within the same trustpoint as RA certificate.

       

      The second problem is the actuall problem however. When I try to install the wildcard certificate (PKCS12, with 10000% of password), using ASDM, i got the following error: (actually I did intentionally type the wrong password and I receive absolutely the same error)

       

      asa_issue1.jpg

       

      Here is the setup of CA. As you can see, both certificates which must relay on the same trustpoint as chain, are divided in two trustpoint configurations:

       

      asa_issue2.jpg

       

      I tried to debug crypto ca 255 but there is nothing interesting within the log file.


      If I try to add the Sub-ordinate certificate within the trustpoint where RA is installed, I got the following error:

       

      asa_issue3.jpg

       

      When I try to manually install the wildcard certificate from CLI (It's in BAS-64 format), I do receive the following error:

       

      CLI Issue

      vpngw2(config)# crypto ca import GeoTrust pkcs12 password_here

       

      Enter the base 64 encoded pkcs12.

      End with the word "quit" on a line by itself:

      -----BEGIN CERTIFICATE-----

      MIIEhjCCA26gAwIBAgICekswDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx

      [cut]

      RPg4gnOGlySGVA==

      -----END CERTIFICATE-----

      quit

      ERROR: Import PKCS12 operation failed

       

      Any thoughts, ideas, questions - whetever are more than welcome!