Home / server / Questions / 1108682
Accepted
miken32
Asked: 2022-08-21 10:11:51 +0800 CST

Client error after installing custom certificate

  • 772

I've followed (I believe) all the right steps to install a trusted certificate on my ASA firewall:

  • install company root authority into ASA as a CA
  • issue a certificate for the ASA's hostname
  • install the certificate into ASA as an identity certificate
  • apply the certificate to the outside interface

However, I continue to get this error in the browser when trying to connect:

Secure Connection Failed

An error occurred during a connection to asa.xxx.internal. SSL was unable to extract the public key from the peer’s certificate.

Error code: SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE

I've verified with show crypto certificates that the certificate has been imported correctly and shows as associated with the imported CA.

The only thing I'm doing here that isn't 100% familiar to me is working with EC certificates instead of RSA, but it doesn't seem like that should have any bearing.

Relevant parts of show run:

hostname asa
domain-name xxx.internal
http server enable
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 validation-usage ipsec-client ssl-client ssl-server
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 keypair ASDM_TrustPoint1
 no validation-usage
 crl configure
crypto ca trustpool policy
 auto-import
crypto ca certificate chain ASDM_TrustPoint0
 certificate ca 4e7bf88d72c08d4efa48d3ec658e5a3281b2c6aa
    3082028e 30820233 a0030201 0202144e 7bf88d72 b08d4efa 48d3ec65 8e5a3281 
    ...
 quit
crypto ca certificate chain ASDM_TrustPoint1
 certificate c47d26f97ee247a9
    308203d8 3082037e a0030201 02020900 c47d26f9 7ee247a7 300a0608 2a8648ce 
    ...
  quit
 certificate ca 4e7bf88d72c08d4efa48d3ec658e5a3281b2c6aa
    3082028e 30820233 a0030201 0202144e 7bf88d72 b08d4efa 48d3ec65 8e5a3281 
  quit
ssl server-version tlsv1.2
ssl trust-point ASDM_TrustPoint1 outside
ssl

0 Answers

  1. Best Answer

    I figured this out eventually (fun way to spend a Saturday.)

    I connected with openssl s_client to see what was happening and from the output I pulled out an error message:

    Verification error: Certificate public key has explicit ECC parameters

    So, I'm not sure how to resolve that issue. I'm generating the key and issuing the cert per this answer on the Information Security SE. The default is supposed to be named curves, not explicit parameters but even if I set the value I was still getting the same result.

    I'll figure that out later but in the meantime, what I ended up having to do was generate a key on the ASA, and export it to do the cert generation. This is a bit hacky but it worked:

    crypto key generate ecdsa label my_private_key elliptic-curve 384
crypto ca trustpoint throwaway
  keypair mykey
  enrollment self
  exit
crypto ca enroll throwaway noconfirm
crypto ca export throwaway pkcs12 foo
no crypto ca trustpoint throwaway noconfirm

    At this point I had a base64 PKCS #12 bag on the terminal. I copied the base64 data (not including the BEGIN and END lines) to my server and did this to get the key:

    echo "MIIEDwIBAzCCA8UGC..." | base64 -d | \
  openssl pkcs12 -nocerts -nodes -password pass:foo > my.key

    Success, I have the key! I generated the certificate using it, and created a new trustpoint using the keypair from earlier:

    crypto ca trustpoint my_tls_certificate
  enrollment terminal
  no ca-check
  subject-name CN=asa.xxx.internal
  keypair my_private_key
  exit
crypto ca enroll my_tls_certificate noconfirm
crypto ca import my_tls_certificate certificate

    At this point I provided the certificate file (again without the BEGIN and END lines) followed by "quit" on a line by itself.

    Finally I was able to enable the certificate with ssl trust-point my_tls_certificate outside and connect successfully.

    • 1