Worked on IPSec VPN Certificate for whole morning to try to import a certificate, finally gave up to ask support from Verisign. I did this many times and had detailed documentation recorded for steps. But this time, situation is different.
My previous post clearly shows all steps I have to follow:
By enabling following debug, I got some more details show “valid cert path not found”
debug crypto pki messages
debug crypto pki transactions
debug crypto pki validation
Dec 15 17:25:18.264: CRYPTO_PKI: make trustedCerts list for VerisignCA1 Dec 15 17:25:18.264: CRYPTO_PKI: subject=”cn=VeriSign Class 3 Secure Server CA – G3,ou=Terms of use at https://www.verisign.com/rpa (c)10,ou=VeriSign Trust Network,o=VeriSign, Inc.,c=US” serial number= 6E CC 7A A5 A7 03 20 09 B8 CE BC F4 E9 52 D4 91 n.z… ……R.. Dec 15 17:25:18.272: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(1364) : E_PATH_NOT_FOUND : valid cert path not found (reason: 18) Dec 15 17:25:18.272: CRYPTO_PKI: status = 0x750(E_PATH_NOT_FOUND : valid cert path not found (reason: %n0)): failed to verify or insert the cert into storage
Validation Failed: can’t get local certificate chain
I even tried following method which I googled from Internet. I created multiple Trustpoint just in case I missed a root certificate since I were only using one ‘RSA Secondary SSL Intermediate CA Certificate’ in Symantec Article AR2108, which I tested it before and was working.
“I ended up using the following order based on the digicert tutorial to complete the install. The trick is to have an empty first trust point, which has the first intermediate cert, and a second trust point using the “chain-validation continue [FirstTrustpointName]” with the second intermediate certificate and the ssl cert.
After I gave up my troubleshooting and gave a Verisign support a call, the mystery is resolved with a clear and simple cause. Symantec is using a new Intermediate CA G4 for new certificate with Signature hash algorithm: SHA-256 shows below. Verisign did not update their Article for the link to this new Intermediate CA yet. But you will get it when download your certificate from your account.
You will get a zip file includes following files:
ssl_certificate.crt is your ssl certificate. IntermediateCA.crt is the new G4 certificate. Previous one in the article AR2108 is G3 and G5. I was able to use G3 only to get certificate imported and validated in my previous post
I copied new Intermediate G4 certificate at below for future reference, although feel disappointed for Verisign not able to update their website and not email right thing to customer. Hopefully it is only me to have this pain.
Then you could re-import your intermediate certificate without remove your trustpoint. If you completely remove the trustpoint with Cisco’s suggestion ‘You must use ‘no crypto pki trustpoint <trustpoint-name>’ to delete the CA certificate.’, you will have to end it up with re-create your trustpoint , your CSR and re-submit your CSR. That will take a long time to get your certificate from your CA.
m-dmz#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 0887ED29C6A3E88C9E4EF7D4972BB43B
Certificate Usage: General Purpose
Issuer:
cn=Symantec Class 3 Secure Server CA – G4
ou=Symantec Trust Network
o=Symantec Corporation
c=US
Subject:
Name: m-dmz.test.com
cn=m-dmz.test.com
o=Giesecke & Devrient systems canada inc
l=markham
st=ontario
c=CA
CRL Distribution Points:
http://ss.symcb.com/ss.crl
Validity Date:
start date: 19:00:00 EST Dec 14 2014
end date: 19:59:59 EDT Mar 12 2017
Associated Trustpoints: VerisignCA1
CA Certificate
Status: Available
Certificate Serial Number (hex): 513FB9743870B73440418D30930699FF
Certificate Usage: Signature
Issuer:
cn=VeriSign Class 3 Public Primary Certification Authority – G5