Unable to install PEM/pkcs12 created by gnutls to Cisco ASA

Posted by ACiD GRiM on Server Fault See other posts from Server Fault or by ACiD GRiM
Published on 2012-11-19T04:44:55Z Indexed on 2012/11/19 5:04 UTC
Read the original article Hit count: 493

Filed under:
|
|

I've been pulling some hair out trying to figure out why cisco devices don't like my certificates. My primary need is to get a trustpoint set up with CA,cert,key on the ASA for VPN systems, however I'm having the same issues on my IOS devices. I created a pkcs12 with openssl a few months ago that imported with no issues, but now that I'm getting ready to move this lab to production I'm using gnutls certtool as I found it adds alt_dns and ip_address fields properly to the certificate, (which cost me a few more hairs trying to get to work with openssl's ca tool)

I'm including the current test certs below, don't worry I'm not using these in production ;)

The maddening thing is that after I thought gnutls was generating certs incorrectly, I tried making a pkcs12 for a printserver and it imported with no issues.

Here's my command flow for creating these certs:

certtool --generate-privkey --disable-quick-random --outfile nn-ca.key
certtool --generate-self-signed --load-privkey nn-ca.key --outfile nn-ca.crt
certtool --generate-privkey --disable-quick-random --outfile nn-g0.key
certtool --generate-certificate --load-privkey nn-g0.key --outfile nn-g0.crt --load-ca-privkey nn-ca.key --load-ca-certificate nn-ca.crt
openssl pkcs12 -export -certfile nn-ca.crt -in nn-g0.crt -inkey nn-g0.key -out nn-g0.p12
openssl enc -base64 -in nn-g0.p12 -out nn-g0.base64.p12

The password for the attatched pkcs12 is "ciscohelp" without quotes. Thanks for any help TestCerts

© Server Fault or respective owner

Related posts about cisco-asa

Related posts about openssl