Solved

Cannot Import Intermediate SSL Cert on Cisco Router

Posted on 2014-02-23
7
1,652 Views
Last Modified: 2014-03-21
We are having a problem installing an SSL Certificate from GeoTrust in our Cisco 1811 for VPN AnyConnect to use.  The Instructions seem about the same for Cisco router IOS and ASA but we are having problems installing the intermediate key.  All the documentation I find says to "just install the intermediate key first".  But I'm afraid I don't understand what that means, trying to apply the intermediate key seems to change nothing.

Here's the order we are trying using the following commands:
crypto ca trustpoint VPN-Trustpoint
enrollment terminal pem
crl optional
subject-name CN=vpn.ourdomain.com,OU=IT,O=OurCompany,C=US,ST=CA,L=OurCity
fqdn vpn.ourdomain.com
rsakeypair vpn-sslkey

exit
crypto ca enroll VPN-Trustpoint
---Generated the CSR ---

crypto ca authenticate VPN-Trustpoint
---Placed Root CA here with brackets---

crypto ca import VPN-Trustpoint certificate
---Pleaced Cert here with brackets---

Open in new window

                               

And get the following error:
% Failed to parse or verify imported certificate


In debug:
valid cert path not found (reason: 18) ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c


If I try the Intermediate key in place of either the CA or certificate I get the same error.  What is the proper order/commands?  Any thoughts or hints would be greatly appreciated!

Thanks,
Robert
0
Comment
Question by:Robert Davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 39893200
Did you install the chain certificate? If yes remove it before trying the intermediate key.

Are you the CA or is that a 3rd party? If 3rd party, contact you vendor and verify the certificate. It looks like it is pointing to a path it can not find.

You can try using the ASDM if that will help
http://www.entrust.net/knowledge-base/technote.cfm?tn=8237
http://www.entrust.net/knowledge-base/technote.cfm?tn=8238
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 39893367
The 3rd party is GeoTrust and their are two intermediate keys listed on https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548

So which do I put into the trust point, and how do I put the second into the same trustpoint before installing our certificate?

Thanks Akinsd,
Robert
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39893482
Here is a step by step instruction - both ASDM and CLI

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/97856-asa-3rdpartyvendorcerts.html

The 3rd party is GeoTrust and their are two intermediate keys listed on
I don't quite understand the statement. You may need to contact GeoTrust to verify what you have. What you have on the link are just examples.

I hope this helps
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 1

Author Comment

by:Robert Davis
ID: 39893771
Thank you for the link, this is the guide I used but it does not cover the installation of two intermediate certificates.  GeoTrust requries both be installed, the ones on rapidssl.com are the current public intermediate certificates as well as the root CA.  Unfortunately the previous links provided are for the ASDM GUI, which don't' apply to Cisco router's Configuration Pro.  It appears the Cisco router GUI lacks a place to install certificates, so I was left with using crypto ca authenticate VPN-Trustpoint.

When I try running crypto ca authenticate VPN-Trustpoint twice, once with each intermediate certificate, I get an error saying the trustpont already has a ca.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39894060
You can configure 2 trustpoints even in Cisco routers

See the configuration below.


http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/27860-ios-enhanced-enrollment.html

crypto ca trustpoint caserver1
enrollment retry period 5
enrollment mode ra
enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll
usage ike
serial-number
fqdn 2611-vpn.cisco.com
ip-address Ethernet0/0
password 7 1107160B12
subject-name OU=PARIS O=FRANCE
crl optional
rsakeypair ciscovpn
auto-enroll regenerate
!
crypto ca trustpoint caserver2
enrollment retry period 5
enrollment mode ra
enrollment url http://171.69.89.111:80/certsrv/mscep/mscep.dll
usage ike
serial-number
fqdn 2611-vpn.cisco.com
ip-address Ethernet0/0
password 7 130B181C0E
subject-name OU=ROME O=ITALY
rsakeypair tacvpn
auto-enroll regenerate
crypto ca certificate chain caserver1
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
ID: 39933499
I ended up using the following order based on the digicert tutorial to complete the install.  The trick is to have an empty first trust point, which has the first intermediate cert, and a second trust point using the "chain-validation continue [FirstTrustpointName]" with the second intermediate certificate and the ssl cert.

crypto ca trustpoint VPN-Trustpoint
enrollment terminal pem
rsakeypair vpn-sslkey
exit

crypto ca trustpoint VPN-Trustpoint-2
enrollment terminal pem
crl optional
subject-name CN=vpn.org,OU=IT,O=Org,C=US,ST=NY,L=City
fqdn vpn..org
rsakeypair vpn-sslkey
chain-validation continue VPN-Trustpoint
exit

crypto ca enroll VPN-Trustpoint-2

crypto ca authenticate VPN-Trustpoint
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
quit

crypto ca authenticate VPN-Trustpoint-2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
quit

crypto ca import VPN-Trustpoint-2 certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
quit

webvpn gateway gateway_1
ssl trustpoint VPN-Trustpoint-2
end

Open in new window

0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 39944764
Worked for intermediate certs
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5506 Port Forward 4 46
Eset Smart Securties ARP poisoning attack 3 52
IP Jumping 6 27
Raid 6 or Raid 10 configuration 10 38
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question