Date: March 7, 2015
By: Mike Khzouz (Mike@bostonIT.com)

Cisco ASA Failed To Parse Or Verify Imported Certificate - SSL



Scenario:

When you try to install an SSL certificate on ASA based on CSR you've generated, you get the error message above:

Resolution:

There are several reasons as to why you are getting this error:

  • Most Certificate Authorities these days generate SSL certificates based on SHA-2 (SHA256RSA) algorithm, not the older version SHA-1. If you generated the CSR from your ASA that is running IOS older than 8.2.3.9, then you need to make sure that the certificate is generated based on SHA-1 since your ASA doesn't support SHA-2.

    If you are running 8.2.3.9 or newer, then your ASA should successfully parse SHA-2 and you would need then go to next step.

    To see what SHA your certificate is based on, download Identity Certificate to desktop, double click on it, go to Details tab, and look there. You should see something like the following (If it's listed as SHA256-RSA, then it's SHA-2 and that won't work under earlier version ASA IOS):

    Sha-1


  • The other known reason as to why you would be getting that error message is because the root/intermediate certificate for the cert authority is not already installed on the ASA so ASA won't be able to parse the identity cert, so before you install pending certificate, you must install ca root or Intermediate certificate first.

    If you open ASDM --> Configuration --> Device Management --> Certificate Management. You should see two places for certificates:

    1- Identity Certificates (this is the place where you originally generated the CSR, and where you will install the identity certificate). For me I ordered that certificate from Godaddy and I certificate name that got by email/download was like 5116d2f1374b2524.cert. Again this is the certificate that you ordered for your device/domain/server to fulfill that https://Yourdevice.domain.com address.

    2- CA Certificates, this is where you install Root/Intermediate certificate. If you see one already installed for the same certificate authority you ordered, then you don't need to install the other CA certificate. For me, I got a second CA cert from Godaddy that was called gd_bundle.cert. I didn't have to install it since I already had one installed.

    In case you only got your Identity Certificate, and didn't get the root/intermediate, you can either ask Godaddy for root/intermediate certificate or look it up on the internet (not easy to find since there are different ones and it gets confusing). So just ask Godaddy or whoever you purchased the cert from.

  • One last possibility that I can think of as to why you are getting the error above is that the Identity certificate you are trying to install is in a format that the ASA won't parse! Save the Certificate on Desktop, double-click on it, go to Details tab, click Copy to File, choose base-64 encoded x.509, and this is the format that the ASA can understand/parse. Go ASDM and install that CA certificate, then try installing it again.

    If you find this article helpful, please click to like our facebook page below so we can keep on adding quality hands-on articles.












Boston IT Services:

Facebook Twitter Google+
bostonIT - 225 Franklin Street Suite 2600, Boston MA 02110. Phone (617) 536-5111.
@ Boston IT, Inc. -- IT Service and Support Company Boston MA -- Disclaimer