Authenticate or import the certificate to another vendoor
Hello
I have to configure the security scenario after:
On CISCO:
-Add server (CA1) of CA certificate which host peer certificates
-Add the CISCO recovered Certificate Server CA (A2)
So I used according to:
Crypto pki trustpoint CA_ROOT
Terminal registration
use of ssl-server
revocation checking no
and done manually authentication of the certificate of the CA server (A1).
This is what it looks like:
AS67129 (config) #crypto pki authenticate CA_ROOT
Enter the base-64 encoded certificate authority.
Ends with a blank line or the word "quit" on a line by itself
-BEGIN CERTIFICATE-
MIIB5zCCAZGgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBKMREwDwYDVQQKEwhFcmlj
c3NvbjEPMA0GA1UECxMGQUwvRVRFMSQwIgYDVQQDExtURVNUIENBIGZvciBDUFAg
U0NFUCBzZXJ2ZXIwHhcNMDkxMDIyMDgzNzQxWhcNMTkxMDIwMDgzNzQxWjBYMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLRXJpY3Nzb24gQUIxDzANBgNVBAsTBkFML0VU
RTEiMCAGA1UEAxMZU3ViQ0EgZm9yIENQUCBTQ0VQIFNlcnZlcjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA3bR1yEyvrYDafqGSxZTUNcHW8OozdNO4ZKoMFZww
4twVoC3mBvQxOYvEcC8YFgtxZVVynLzL1j/rEVyCIuGaTj5X7fNc9N7qDZMq1XQ /.
HY8t + aBesvwrzjPKjt7rQ2P90B4w4uEjImGTyhmlGRlFx6XKz1ISMvGK + GLDtFlU
XqMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJxunpng
k6diona1Bn65ToH5nu67D4N/PlABuFy86PhN9UyY + bHockyspoGDmgHle1zX1b2i
nSGRkopq2MDqM3s =
-CERTIFICATE OF END-
quit smoking
Trustpoint "CA_ROOT" is a subordinate certification authority and holds a nonfree signed cert
Certificate has the following attributes:
Fingerprint MD5: CF5E3F6A 6BD0F348 3612B 785 1259241C
Fingerprint SHA1: 389FE1A7 CF3DD551 3C484EF1 BAC5DD28 1525F43A
% Do you accept this certificate? [Yes/No]: Yes
Certificate of the CA Trustpoint accepted.
% Certificate imported successfully
There are now executing command:
Crypto PKI import CA_ROOT
What is the difference between authentication and import?
Result of this import command is that the certificate is not signed by the private key of CISCO.
Currently there is no private key to CISCO.
Any certificate is generated by the Protocol Server CEP, which will provide the certificate to the peer in host
Configuration of the IpSec tunnel.
Thank you
Renato
Hi Renato.
The command crypto pki authenticate CA_ROOT is to authenticate the certificate authority (CA) (by obtaining the certificate of the certification authority)
This command is required when initially configuring CA support to your router.
This command authenticates the CA of your router with the CA certificate that contains the public key of the CA. Because CA signs its own certificate, you must manually authenticate the public key of the CA by contacting the CA administrator, when you enter this command.
In the following example, the router asking for the certificate of the CA. The CA sends its certificate and the router asks the administrator to check the certificate of authority of fingerprint verification of CA. The CA administrator can also view of the certificate of the CA, so you should compare what the CA administrator ensures that the router displays on the screen. If the fingerprint on the screen of the router matches the fingerprint, read by the CA administrator, you must accept the certificate as being valid.
Router(config)# crypto pki authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y#
import of crypto pki certificate of name is to import the certificate of identity on the router.
Here is the link you can follow
http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c5.html#wp1044348
HTH
Concerning
Regnier
Please note all useful posts
Tags: Cisco Security
Similar Questions
-
Could not import the certificate - you can solve it here
Hi all
seems that I'm having a similar problem:
My gap phone signature keys worked a few months - now my key says iOS:
"Error - failed to import the certificate - you can fix this here" when I Isaiah to compile app
I find this part a bit confused so please use no baby...
-I went to https://developer.apple.com/account/ios/certificate/distribution
and it looks like my prod. CERT and mobile profile available are both still active
-J' tried to re - download these that have been saved on my computer when I them - go back to the generation gap phone - and he accepted them with my pass
- then I opened a new I just did-, but has the same problem when I try to build a production application = "error - failed to import the certificate - you can fix that here."
Q: what should I do to fix this?
R: remove the CERT in my keychain and their construction everything again from scratch?
B: should I remove the ACTIVE apple certs and profile mobile available?
C: something simpler to solve this problem?
Thanks in advance - Dave
Should be fixed now. It seems that you have found a server in our collection that was generations before it was supplied. Sorry for the inconvenience.
-
Error - failed to import the certificate - you can fix this here
I get this message when you try to create a new generation.
Error - failed to import the certificate - you can fix this here
I created a new .p12 file, but also a configuration profile. I can't understand why this keep happening. Thanks in advance for any help you can provide.
This error means that the certificate and the private key in the p12 file don't match. Take a look at this post, which describes in more detail the creation and validation of your p12.
I have not watched the certificate remains to be seen if this is indeed the expiration date. Will look at this next...
Unrelated and probably that your certificate has indeed expired.
-
How to import the class from another project in Jdeveloper 11.1.1.7
I have an application with many projects. I create new project with the application and I want to import a class from another project with demand.
But I am getting error ( found import.somePackge.someClass). I have red that I need to add it to the path of bulid project but no idea how.
I use Jdeveloper 11.1.1.7
Click the project--> project properties, dependencies, click here to change the Righ pencil icon and check the build output
-
error when importing the VM to another esx host.
Hello
When I try to import the virtual machine from one esx host to another through VC converter. It gives me error to fix. Any help will be appreciated.
Thank you
Tanav
Tanav,
This error comes when Assistant failed to get the value of vmx import file. You can create a new virtual machine it and attach the existing drive and then try again to import the virtual machine.
If you have shared storage on the connected server, you can simply vmotion between hosts. No need to import the virtual machine from one host to another.
Anuj,
If you have found my reply to be useful, feel free to mark it as useful or Correct.
The latest articles and articles about Virtualization:
-
Could not import the Reader Extensions certificate
I use the virtual appliance to assess LiveCycle and I can't import the certificate of Reader Extensions. I'm sailing Trust Store Management > certificates, type an Alias, go to the trial .pfx file I downloaded and click Import. Then a message pops up saying "invalid certificate". Any ideas on what is the problem?
The credentials of Reader Extensions are a .pfx file (with a file containing the credentials password .txt accompaniment). Check signing authorities document can be .cer then please make sure that in the section "Type of trust store", the 'Reader Extensions Credential' box is checked before you import it.
You are trying to import settings-> Trust Store Management-> local credentials right?
-
ASA 8.4.3 install the certificate for webvpn without CSR
Hi guys,.
I have spent a lot of time trying to install our wildcard certificate in the ASA for use with anyconnect, but was not permanently misserably. I red a lot of messages, but don't really know what I'm doing.
Our Web server, I got DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a certificate wildcard for mycompany.com.
The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on the Web site: https://www.digicert.com/digicert-root-certificates.htm
with the series "0A5F114D035B179117D2EFD4038C3F3B".On the SAA, I checked that I have no present trustpoint. Orders: "sh ca crypto certificates" and "sh crypto ca trustpoints" give no output.
OK, so lets get started to set up and are having problems:
ASA (config) # crypto ca trustpoint star.mycompany.com
Domain name full webvpn.mycompany.com ASA(config-ca-Trustpoint) #.
ASA(config-ca-Trustpoint) # Terminal registration
ASA(config-ca-Trustpoint) #-revocation checking no
Output ASA(config-ca-Trustpoint) #.
Authenticate the crypto ca ASA (config) # star.mycompany.com
Enter the base-64 encoded certificate authority.
End with the word "quit" on a line by itself
-BEGIN CERTIFICATE-
# CONTENT DigiCertCA.crt #.
-CERTIFICATE OF END-
quit smoking
INFO: Certificate has the following attributes:
Fingerprint: c68b9930 c8578d41 6f8c094e 6adb0c90
Do you accept this certificate? [Yes/No]: Yes
Trustpoint "star.mycompany.com" is a subordinate certification authority and is a non self-signed certificate.
Certificate of the CA Trustpoint accepted.
% Certificate imported successfully
ASA (config) # crypto ca certificate star.mycompany.com import
ATTENTION: Registration certificate is configured with a complete domain name
that differs from the fqdn of the system. If this certificate will be
used for VPN authentication, this can cause connection problems.
You want to continue with this registration? [Yes/No]: Yes
% The FQDN in the certificate name will be: webvpn.mycompany.com
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-BEGIN CERTIFICATE-
# CONTENT star.mycompany.com_cert.pem #.
-CERTIFICATE OF END-
quit smoking
Could not import the certificate-
Certificate contains a general practitioner of the device public key
for point star.mycompany.com trust
ERROR: Cannot analyse or check the imported certificate
ASA (config) #.
Please help me! I'm not a guru with certificates.
Kind regards
Tom van Leeuwen
Tom,
you create a container PKCS12 which includes certificates, and CA key.
I don't know how to do with linux, no idea with Windows
Michael
Please note all useful posts
-
Import a certificate SSL on SG500X
I try to use SSL certificates disconnected by the internal CA on all our SG500X and SG500 rocker, the manual is a little vague on the process of importation of the real process, I have generated demand for the switch without specifying a new key (so I guess it used the default value), has presented the request of my CA and downloaded the cert. Because the import option does not allow the import of the cer file, I open with a text editor and copied the cert, including start and end markers, when I submit, in it I get the error: SSL could not import the certificate - conversion of entry to the certificate failed.
Hello Steve,.
Here is a step by step guide to import the SSL certificate. I hope this helps.
Nana
-
Unable to import the mail express outlook in windows live mail
I have a new computer running Windows 7. I have used Outlook Express on my old XP computer. I found the file on my old computer with emails, folders, etc... and have it on my new computer under documents. I tried to import the folder and I get an error. I have many subfolders and so I decided to import them one at a time. I was able to import a folder, but I can not find this folder now in Live Mail. I get errors when I import the Inbox, too.
So, where can I find my mail any and no idea on the Inbox import error. It does not say what is the error, just says: an error has occurred.
Thank you.
Nan
Yes, I checked and folders.dbx is here. In my quest to solve this problem, I found a site where someone had the same problem and found the file has been marked read-only (not the check mark, but the box has been filled). I checked that and mine was the same way, I correct and it goes back to the box being filled. I am really confused and might have to find an another e-mail client that I use. I have a few I need to access important emails.
Nan
If you have access to your old computer, create a new identity. Import your messages from the old identity.
If the import without problems messages, then your old OE store folder is ok.
If the message import, then your old Bank of OE has problems and will not import the messages to another program. -
After you import the virtual machines in LM, can I remove VC
Hello
I had a couple of machines to import the configuration of another admin... After you import the virtual machines in LM, can I remove the virtual machines, I imported VC? I now have more need to fight them with VC. LM depends on of these always after import?
I do not believe, but you can rename the folder and see if something is complaining. If it isn't, it is probably safe to delete.
-
Copy the file from one drive to the keyword one another &; missing tags
Hello
I use LR 2.7. I want to copy a file from one disk to another disk with the same file name. I thought that you could drag the file, but it is not copy the file into the other drive, can you explain what I need to do?
Also, I tried to import the file to another drive, but it does not copy the keyword tags. Is there a way to do this?
Thank you
Barb
There is absolutely no problem with a lot of files. I think that most people are this way.
To merge a catalog in another, open a catalog and then-> import from catalog and Lightroom point files to your catalog on the other.
-
Can I export Essbase outline and import the schema?
I want to export Essbase to an Essbase outline and then import the plan to another server to Essbase. Can I do this? It is very complicated?If you want to migrate all of the cube, you could just copy the file .otl from one server to another. If you want to dimension by dimension, you can use the puller contour available at applied olap, or maybe ODI or the outline of the Star Analytics extraction tool. Versions of the first and the third are available free of charge through the genorosity of these companies
-
Could not import the Wildcard on SAA certificate
Hi all
I'm trying to implement a GoDaddy Wildcard (*. mydomain.mytld) cert for a number of clubs, among which there is our ASA. I put away the old certs and did some housekeeping on their trustpoints, etc., with the result pretty much own config. (I'm on 8.3).
I needed to register for the cert in a different area (Exchange 2010) and I exported the cert in cisco-pasteable format REB to make it ready for deployment ahead on the ASA. Here's what I've done (with cry ca debugging on), causing a failure to import the wildcard certificate. Can anyone shed light on what I'm doing wrong? What I was doing was essentially installation TP for root and intermediate and then import the actual device cert.
The installation program two trustpoints for RootCA and intermediate TP:
gate0 (config) # crypto ca trustpoint gdroot
gate0(config-ca-Trustpoint) # Terminal registration
gate0(config-ca-Trustpoint) # revo no
---------gate0 (config) # crypto ca trustpoint gdinter
gate0(config-ca-Trustpoint) # register terminal
domain name full mydomain.tld gate0(config-ca-Trustpoint) #.----------------
These authenticate:
authenticate the cry ca gate0 (config) # gdroot
Enter the base-64 encoded certificate authority.
End with the word "quit" on a line by itself
-BEGIN CERTIFICATE--CERTIFICATE OF END-
quit smokingINFO: Certificate has the following attributes:
Fingerprints: [snip]
Do you accept this certificate? [Yes/No]: YesCertificate of the CA Trustpoint accepted.
% Certificate imported successfully
CRYPTO_PKI: Recording of Cert not found, return E_NOT_FOUND
View the contents of the current certificate:
1 certificate:
SERIES: 00
ISSUER: OU = Go Daddy class 2 Certification Authority, o = Go Daddy Group\, Inc., c = US
CRYPTO_PKI: crypto_process_ra_certs (trust_point = gdroot)authenticate the cry ca gate0 (config) # gdinter
Enter the base-64 encoded certificate authority.
End with the word "quit" on a line by itself
-BEGIN CERTIFICATE-
-CERTIFICATE OF END-
quit smokingINFO: Certificate has the following attributes:
Fingerprints: [snip]
Do you accept this certificate? [Yes/No]: YesTrustpoint "gdinter" is a subordinate certification authority and is a non self-signed certificate.
Certificate of the CA Trustpoint accepted.
% Certificate imported successfully
gate0 (config) # CRYPTO_PKI: Cert record not found, return E_NOT_FOUND
CRYPTO_PKI: No appropriate trustpoints not found to validate the serial number of certificate: 0301, object name: serialNumber = 07969287, cn = Go Daddy Secure Certification Authority, or =http://certificates.godaddy.com/repository, o is GoDaddy.com------, Inc., l is Scottsdale, st = Arizona, c = US, name of the issuer: OU = Go Daddy class 2 Certification Authority, o = Go Daddy Group\, Inc., c = US.CRYPTO_PKI: Recording of Cert not found, return E_NOT_FOUND
View the contents of the current certificate:
1 certificate:
SERIES: 0301
ISSUER: OU = Go Daddy class 2 Certification Authority, o = Go Daddy Group\, Inc., c = US
Certificate 2:
SERIES: 00
ISSUER: OU = Go Daddy class 2 Certification Authority, o = Go Daddy Group\, Inc., c = US
CRYPTO_PKI: crypto_process_ra_certs (trust_point = gdinter)Import the "peripheral": wildcard cert
Crypto ca import gdinter RECs
ATTENTION: Registration certificate is configured with a complete domain name
that differs from the fqdn of the system. If this certificate will be
used for VPN authentication, this can cause connection problems.You want to continue with this registration? [Yes/No]: Yes
% The FQDN in the certificate name will be: mydomain.tld
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself-BEGIN CERTIFICATE-
-CERTIFICATE OF END-
quit smokingERROR: Cannot analyse or check the imported certificate
CRYPTO_PKI: cannot define ca cert object (0 x 722)
CRYPTO_PKI: status = 65535: could not get the key of the cert usageYou can see a problem due to not have generated the CSR on the SAA (with ASA's private key) because you use a character generic cert.
There is a here document which explains how to get around that.
-
Firefox Mobile has a kind of key store? How to import the SSL client certificate?
Firefox Mobile has a kind of key store? How to import the SSL client certificate?
There is no built-in way to add client certificates to Firefox for mobile. We hope to add this in a future version.
See this previous question for some (kind of complicated) ways to add client certificates in the current version of Firefox for mobile:
https://support.Mozilla.com/en-us/questions/786035?s=certificate & As = s -
original title: outlook express
I want to import the address book from an old account to another that I just put in place. When I do this, all addresses have disappeared.
Outlook Express tips, tricks and Secrets for the backup and restore:
http://email.about.com/od/outlookexpressbackuphelp/MS KB:
How to backup and restore Outlook Express data:
http://support.Microsoft.com/kb/270670/en-usHow to change the default location of mail and news files:
http://support.Microsoft.com/kb/307971/en-usInside Outlook Express (backup and restore):
http://www.insideoe.com/backup/J W Stuart: http://www.pagestart.com
Maybe you are looking for
-
HP EliteBook 8570p SSD SED - encryption
Hello I ran HP protecttool securty Manager drive encryption. The whole process takes only a few minutes. This means that all existing data will be not encrypted? Or it will be encrypted asynchroneously over time? Kind regards Mark Micron SED (SSD) Wi
-
Graphics card compatible for my 3000 H100 8789 Q61 Office
Hello people this is dev once again, I hope that all do you fine I have lenovo Desktop 4 years old model No. 3000 H100 8789 Q61, I add graphics in there, now, my questions are It is pausible add a compatible graphics card in my motherboard? If Yes, w
-
I just took delivery of my laptop Lenovo (windows 8.1) & seeks to activate/use my printer Deskjet 1050/Scanner. I am informed that the Deskjet software is installed BUT I can't progress further. I searched HP Scan & Capture screens & read the "rating
-
Exception code 3765269347 Exception address 7C812AFB
-
I don't know how I did before, but after weeks of trying, I got my photosmart 2610 fully functional. Unfortunately, I lost patience with the obsolete photoessentials trying to install and fail at every reboot. It wouldn't uninstall parameters, so I