Unable to install PEM/pkcs12 created by gnutls to Cisco ASA
Posted
by
ACiD GRiM
on Server Fault
See other posts from Server Fault
or by ACiD GRiM
Published on 2012-11-19T04:44:55Z
Indexed on
2012/11/19
5:04 UTC
Read the original article
Hit count: 546
I've been pulling some hair out trying to figure out why cisco devices don't like my certificates. My primary need is to get a trustpoint set up with CA,cert,key on the ASA for VPN systems, however I'm having the same issues on my IOS devices. I created a pkcs12 with openssl a few months ago that imported with no issues, but now that I'm getting ready to move this lab to production I'm using gnutls certtool as I found it adds alt_dns and ip_address fields properly to the certificate, (which cost me a few more hairs trying to get to work with openssl's ca tool)
I'm including the current test certs below, don't worry I'm not using these in production ;)
The maddening thing is that after I thought gnutls was generating certs incorrectly, I tried making a pkcs12 for a printserver and it imported with no issues.
Here's my command flow for creating these certs:
certtool --generate-privkey --disable-quick-random --outfile nn-ca.key
certtool --generate-self-signed --load-privkey nn-ca.key --outfile nn-ca.crt
certtool --generate-privkey --disable-quick-random --outfile nn-g0.key
certtool --generate-certificate --load-privkey nn-g0.key --outfile nn-g0.crt --load-ca-privkey nn-ca.key --load-ca-certificate nn-ca.crt
openssl pkcs12 -export -certfile nn-ca.crt -in nn-g0.crt -inkey nn-g0.key -out nn-g0.p12
openssl enc -base64 -in nn-g0.p12 -out nn-g0.base64.p12
The password for the attatched pkcs12 is "ciscohelp" without quotes. Thanks for any help TestCerts
© Server Fault or respective owner