Monday, December 15, 2014

Certificate Import Failed with "% Failed to parse or verify imported certificate" because of Verisign Using new Intermediate CA Certs G4

Symptoms:

Worked on IPSec VPN Certificate for whole morning to try to import a certificate, finally gave up to ask support from Verisign. I did this many times and had detailed documentation recorded for steps. But this time, situation is different. 

My previous post clearly shows all steps I have to follow:
Unfortunately, this time the process stuck at the step 6 with error "% Failed to parse or verify imported certificate"

m-dmz(config)#crypto pki import VerisignCA1 certificate 


Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

000158: Dec 15 12:38:30.479 EST: CRYPTO_PKI: using private key v-dmz-tt.test.com for enrollment
-----BEGIN CERTIFICATE-----
MIIE9zCCA9+gAwIBAgIQCIftKcaj6IyeTvfUlyuOzANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE0MTIxNTAwMDAwMFoX
DTE3MDMxMjIzNTk1OVowgYAxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdvbnRhcmlv
MRAwDgYDVQQHDAdtYXJraGFtMS8wLQYDVQQKDCZHaWVzZWNrZSAmIERldnJpZW50
IHN5c3RlbXMgY2FuYWRhIGluYzEcMBoGA1UEAwwTVi1ETVotTVRPLmdpLWRlLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMY2d63D++tY3UJHi0hT
POYtTGT1vqLXgbpne4LkSsGyD/ehWiJe6jmPAzoLDPBpznIlW/DPKd63ABr/333
HNrFRDi3caYJqYjASH9M0ujJPigWVtbaLNBA+LsnmAd6m4IRXC8Q5lkrrl3nEcr/
h0uD9iHC76tz8ZwjNMonda8JEvVaqvqeXwk6CTfxzBPJ/Lwz5QpS7I9vFhzQqXea
+R8nGAl0ES3QRkWKIoBthP70FnLiy+0LawkWwFWZHW/aDwjMeXEQg24eRjeqAk0
H3ysSVc2f+2AydAtXmvStUmcr9R/2y3d8AJeFzqoHx+9kgHk21ozjTRn0uj6XmTO
p6UCAwEAAaOCAWwwggFoMB4GA1UdEQQXMBWCE1YtRE1aLU1UTy5naS1kZS5jb20w
CQYDVR0TBAIwADAOBgNVHQ8BAf8EBMCBaAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0
cDovL3NzLnN5bWNiLmNvbS9zcy5jcmwwZQYDVR0gBF4wXDBaBgpghkgBhvhFAQc2
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRfYM9hkFXfhEMUimAqsvV69EMY7zBX
BggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zcy5zeW1jZC5jb20w
JgYIKwYBBQUHMAKGGmh0dHA6Ly9zcy5zeW1jYi5jb20vc3MuY3J0MA0GCSqGSIb3
DQEBCwUAA4IBAQBbgmnEA7ERTeKDTYT9gxc1A2+TliCHODGGQ8deEFrBySbKOdIN
X+Au6Jk0leWHr1sjcVwJlNZLwDKJZcs0d78JXJRDi1kfoFxcehMkNi3hzMm/78lW
WNujf4On8faQTjPJz9Zqi6vr/1OnSwNVlrudeFX05chHygRuSy9hewSf5bIFp5TG
iA0jhzbe+D8+kbhLhb5m+VI2JZ338/hE7JcNGJOIXhjyKyZeafJqLi9nlfg8Pb9o
i1oQV9SxGuTkjYmRmVx8+gknQCIIGXcVlT2jXZDKyHaeReVpUFGBVOvyzFulVfOx
dVtUsyu4UHi3p8N2BfUlUt0JrRREyN68Fnos
-----END CERTIFICATE-----

% Failed to parse or verify imported certificate

By enabling following debug, I got some more details show "valid cert path not found"

debug crypto pki messages
debug crypto pki transactions
debug crypto pki validation

Dec 15 17:25:18.264: CRYPTO_PKI: make trustedCerts list for VerisignCA1
Dec 15 17:25:18.264: CRYPTO_PKI: subject="cn=VeriSign Class 3 Secure Server CA - G3,ou=Terms of use at https://www.verisign.com/rpa (c)10,ou=VeriSign Trust Network,o=VeriSign, Inc.,c=US" serial number= 6E CC 7A A5 A7 03 20 09 B8 CE BC F4 E9 52 D4 91 n.z... ......R..
Dec 15 17:25:18.272: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(1364) : E_PATH_NOT_FOUND : valid cert path not found (reason: 18)
Dec 15 17:25:18.272: CRYPTO_PKI: status = 0x750(E_PATH_NOT_FOUND : valid cert path not found (reason: %n0)): failed to verify or insert the cert into storage


m-dmz(config)#crypto pki certificate validate VerisignCA1
Validation Failed: can't get local certificate chain


I even tried following method which I googled from Internet. I created multiple Trustpoint just in case I missed a root certificate since I were only using one 'RSA Secondary SSL Intermediate CA Certificate' in Symantec Article AR2108, which I tested it before and was working.

"I ended up using the following order based on the digicert tutorial to complete the install.  The trick is to have an empty first trust point, which has the first intermediate cert, and a second trust point using the "chain-validation continue [FirstTrustpointName]" with the second intermediate certificate and the ssl cert.

crypto ca trustpoint VPN-Trustpoint
enrollment terminal pem
rsakeypair vpn-sslkey
exit

crypto ca trustpoint VPN-Trustpoint-2
enrollment terminal pem
crl optional
subject-name CN=vpn.org,OU=IT,O=Org,C=US,ST=NY,L=City
fqdn vpn..org
rsakeypair vpn-sslkey
chain-validation continue VPN-Trustpoint
exit

crypto ca enroll VPN-Trustpoint-2

crypto ca authenticate VPN-Trustpoint
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
quit

crypto ca authenticate VPN-Trustpoint-2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
quit

crypto ca import VPN-Trustpoint-2 certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
quit

webvpn gateway gateway_1
ssl trustpoint VPN-Trustpoint-2
end
"

Solution:

After I gave up my troubleshooting and gave a Verisign support a call, the mystery is resolved with a clear and simple cause. Symantec is using a new Intermediate CA G4 for new certificate with Signature hash algorithm: SHA-256 shows below. Verisign did not update their Article for the link to this new Intermediate CA yet. But you will get it when download your certificate from your account.



You will get a zip file includes following files:
ssl_certificate.crt is your ssl certificate. IntermediateCA.crt is the new G4 certificate. Previous one in the article AR2108 is G3 and G5. I was able to use G3 only to get certificate imported and validated in my previous post 
I copied new Intermediate G4 certificate at below for future reference, although feel disappointed for Verisign not able to update their website and not email right thing to customer. Hopefully it is only me to have this pain. 

-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----

By the way, if you have imported wrong Intermediate certificate, you do not have to delete trustpoint as shown on the cisco route

v-dmz(config)#crypto pki authenticate VerisignCA1 
% Please delete your existing CA certificate first.
% You must use 'no crypto pki trustpoint <trustpoint-name>' to delete the CA certificate.

I found it is working by just delete "crypto pki certificate chain VerisignCA1" with command 
v-dmz(config)#no crypto pki certificate chain VerisignCA1

Then you could re-import your intermediate certificate without remove your trustpoint. If you completely remove the trustpoint with Cisco's suggestion 'You must use 'no crypto pki trustpoint <trustpoint-name>' to delete the CA certificate.', you will have to end it up with re-create your trustpoint , your CSR and re-submit your CSR. That will take a long time to get your certificate from your CA.


m-dmz#sh crypto pki certificates 
Certificate
  Status: Available
  Certificate Serial Number (hex): 0887ED29C6A3E88C9E4EF7D4972BB43B
  Certificate Usage: General Purpose
  Issuer: 
    cn=Symantec Class 3 Secure Server CA - G4
    ou=Symantec Trust Network
    o=Symantec Corporation
    c=US
  Subject:
    Name: m-dmz.test.com
    cn=m-dmz.test.com
    o=Giesecke & Devrient systems canada inc
    l=markham
    st=ontario
    c=CA
  CRL Distribution Points: 
    http://ss.symcb.com/ss.crl
  Validity Date: 
    start date: 19:00:00 EST Dec 14 2014
    end   date: 19:59:59 EDT Mar 12 2017
  Associated Trustpoints: VerisignCA1 

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 513FB9743870B73440418D30930699FF
  Certificate Usage: Signature
  Issuer: 
    cn=VeriSign Class 3 Public Primary Certification Authority - G5
    ou=(c) 2006 VeriSign
     Inc. - For authorized use only
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  Subject: 
    cn=Symantec Class 3 Secure Server CA - G4
    ou=Symantec Trust Network
    o=Symantec Corporation
    c=US
  CRL Distribution Points: 
    http://s1.symcb.com/pca3-g5.crl
  Validity Date: 
    start date: 20:00:00 EDT Oct 30 2013
    end   date: 19:59:59 EDT Oct 30 2023
  Associated Trustpoints: VerisignCA1 

Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer: 
    cn=IOS-Self-Signed-Certificate-1843068825
  Subject:
    Name: IOS-Self-Signed-Certificate-1843068825
    cn=IOS-Self-Signed-Certificate-1843068825
  Validity Date: 
    start date: 11:31:26 EDT Jul 28 2012
    end   date: 19:00:00 EST Dec 31 2019
  Associated Trustpoints: TP-self-signed-1843068825 
  Storage: nvram:IOS-Self-Sig#1.cer

Reference:

No comments:

Post a Comment