0 Replies Latest reply: Jul 5, 2011 1:06 AM by Dani Petrov RSS

    Installing wildcard certificate - error

    Dani Petrov

      Hello guys, long time no see.


      I'm not quite sure do I post within the right thread so please correct me if I'm wrong.


      Anyway, the problem is as subject says - Problem with installation of wildcard certificate on Cisco ASA 5520 (VPN Plus license). Software version is  8.2(2).

      I noticed two issues. We've bought a wildcard certificate for our domains example.com, example.org. Certificate provider is Geo Trust.


      The first problem is that I'm unable to install the complete certificate chain. If I install the Root CA of GeoTrust, I'm unable to install the sub-ordinate CA, which has actually signed my cert, within the same trustpoint. The warning message says that "WARNING: Trustpoint GeoTrustRA is already authenticated." (this happens when I try to install the sub-ordinate CA, which stays in between RA and my certificate, within the same trustpoint as RA certificate.


      The second problem is the actuall problem however. When I try to install the wildcard certificate (PKCS12, with 10000% of password), using ASDM, i got the following error: (actually I did intentionally type the wrong password and I receive absolutely the same error)




      Here is the setup of CA. As you can see, both certificates which must relay on the same trustpoint as chain, are divided in two trustpoint configurations:




      I tried to debug crypto ca 255 but there is nothing interesting within the log file.

      If I try to add the Sub-ordinate certificate within the trustpoint where RA is installed, I got the following error:




      When I try to manually install the wildcard certificate from CLI (It's in BAS-64 format), I do receive the following error:


      CLI Issue

      vpngw2(config)# crypto ca import GeoTrust pkcs12 password_here


      Enter the base 64 encoded pkcs12.

      End with the word "quit" on a line by itself:

      -----BEGIN CERTIFICATE-----




      -----END CERTIFICATE-----


      ERROR: Import PKCS12 operation failed


      Any thoughts, ideas, questions - whetever are more than welcome!