Background: long time Netscreen, JunOS, FortiOS administrator, now with a customer who has an ASA running 8.3(2). They have decided to install a new SSL certificate into their ASA for the purposes of the SSL-VPN.
I went to Enom, a Commodo reseller, and followed their instructions for generating a .CSR. Received the certificate back, and tried to install it. Install attempts fail with:
Error: Failed to parse or verify imported certificate
I also received three intermediate certificates. When I go to the CA screen of my ASA, I can import the certificate identified as AddTrustExternalCARoot, but not the other two. Trying to import them fails with:
Info: INFO: Certificate has the following attributes:
Fingerprint: <hash>
% Error in saving certificate: status = FAIL
I have followed some instructions on the web which involve importing my certificate into my local Windows (10) system, exporting them back out, and then trying to import those into the ASA. Same problem.
ENOM has punted my request for support.
The customer doesn't have Cisco support.
Does anyone have any ideas where I can learn how to import my Commodo certificate?
Best Answer
The answer appears to be: the Commodo cert is SHA-2, which 8.3(2) doesn't support. So, either get the cert re-cut as SHA-1 (not a good idea) or upgrade to a newer firmware.
Nuts.