Robert Davis
asked on
Cannot Import Intermediate SSL Cert on Cisco Router
We are having a problem installing an SSL Certificate from GeoTrust in our Cisco 1811 for VPN AnyConnect to use. The Instructions seem about the same for Cisco router IOS and ASA but we are having problems installing the intermediate key. All the documentation I find says to "just install the intermediate key first". But I'm afraid I don't understand what that means, trying to apply the intermediate key seems to change nothing.
Here's the order we are trying using the following commands:
And get the following error:
In debug:
If I try the Intermediate key in place of either the CA or certificate I get the same error. What is the proper order/commands? Any thoughts or hints would be greatly appreciated!
Thanks,
Robert
Here's the order we are trying using the following commands:
crypto ca trustpoint VPN-Trustpoint
enrollment terminal pem
crl optional
subject-name CN=vpn.ourdomain.com,OU=IT,O=OurCompany,C=US,ST=CA,L=OurCity
fqdn vpn.ourdomain.com
rsakeypair vpn-sslkey
exit
crypto ca enroll VPN-Trustpoint
---Generated the CSR ---
crypto ca authenticate VPN-Trustpoint
---Placed Root CA here with brackets---
crypto ca import VPN-Trustpoint certificate
---Pleaced Cert here with brackets---
And get the following error:
% Failed to parse or verify imported certificate
In debug:
valid cert path not found (reason: 18) ../VIEW_ROOT/cisco.comp/pki_ssl/src/ ca/provide r/path/pki x/pkixpath .c
If I try the Intermediate key in place of either the CA or certificate I get the same error. What is the proper order/commands? Any thoughts or hints would be greatly appreciated!
Thanks,
Robert
ASKER
The 3rd party is GeoTrust and their are two intermediate keys listed on https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548
So which do I put into the trust point, and how do I put the second into the same trustpoint before installing our certificate?
Thanks Akinsd,
Robert
So which do I put into the trust point, and how do I put the second into the same trustpoint before installing our certificate?
Thanks Akinsd,
Robert
Here is a step by step instruction - both ASDM and CLI
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/97856-asa-3rdpartyvendorcerts.html
I hope this helps
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/97856-asa-3rdpartyvendorcerts.html
The 3rd party is GeoTrust and their are two intermediate keys listed onI don't quite understand the statement. You may need to contact GeoTrust to verify what you have. What you have on the link are just examples.
I hope this helps
ASKER
Thank you for the link, this is the guide I used but it does not cover the installation of two intermediate certificates. GeoTrust requries both be installed, the ones on rapidssl.com are the current public intermediate certificates as well as the root CA. Unfortunately the previous links provided are for the ASDM GUI, which don't' apply to Cisco router's Configuration Pro. It appears the Cisco router GUI lacks a place to install certificates, so I was left with using crypto ca authenticate VPN-Trustpoint.
When I try running crypto ca authenticate VPN-Trustpoint twice, once with each intermediate certificate, I get an error saying the trustpont already has a ca.
When I try running crypto ca authenticate VPN-Trustpoint twice, once with each intermediate certificate, I get an error saying the trustpont already has a ca.
You can configure 2 trustpoints even in Cisco routers
See the configuration below.
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/27860-ios-enhanced-enrollment.html
crypto ca trustpoint caserver1
enrollment retry period 5
enrollment mode ra
enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll
usage ike
serial-number
fqdn 2611-vpn.cisco.com
ip-address Ethernet0/0
password 7 1107160B12
subject-name OU=PARIS O=FRANCE
crl optional
rsakeypair ciscovpn
auto-enroll regenerate
!
crypto ca trustpoint caserver2
enrollment retry period 5
enrollment mode ra
enrollment url http://171.69.89.111:80/certsrv/mscep/mscep.dll
usage ike
serial-number
fqdn 2611-vpn.cisco.com
ip-address Ethernet0/0
password 7 130B181C0E
subject-name OU=ROME O=ITALY
rsakeypair tacvpn
auto-enroll regenerate
crypto ca certificate chain caserver1
See the configuration below.
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/27860-ios-enhanced-enrollment.html
crypto ca trustpoint caserver1
enrollment retry period 5
enrollment mode ra
enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll
usage ike
serial-number
fqdn 2611-vpn.cisco.com
ip-address Ethernet0/0
password 7 1107160B12
subject-name OU=PARIS O=FRANCE
crl optional
rsakeypair ciscovpn
auto-enroll regenerate
!
crypto ca trustpoint caserver2
enrollment retry period 5
enrollment mode ra
enrollment url http://171.69.89.111:80/certsrv/mscep/mscep.dll
usage ike
serial-number
fqdn 2611-vpn.cisco.com
ip-address Ethernet0/0
password 7 130B181C0E
subject-name OU=ROME O=ITALY
rsakeypair tacvpn
auto-enroll regenerate
crypto ca certificate chain caserver1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked for intermediate certs
Are you the CA or is that a 3rd party? If 3rd party, contact you vendor and verify the certificate. It looks like it is pointing to a path it can not find.
You can try using the ASDM if that will help
http://www.entrust.net/knowledge-base/technote.cfm?tn=8237
http://www.entrust.net/knowledge-base/technote.cfm?tn=8238