Help save net neutrality! Learn more.

vpn3000 Invalid certificate chain ST

  • TorstenL

    TorstenL - 2009-03-01


    I'm trying to install CA into CiscoVPN3000 for many months...

    I used the guide of innominate [1].


    - Step 4: Sign the certificate request with the CA using XCA
      - export CRT as PEM
    - Step 5: Import of the signed Cisco certificate on the Cisco device
      - Install certificate obtained via enrollment

          Error installing identity certificate: Invalid certificate chain.

    I did already many attempts.
    Now I found a difference:   SP vs. ST

    - CA
    Administration | Certificate Management | View
    Subject                         Issuer
    CN=cavpn                        CN=cahrz
    OU=hrz                          OU=hrz
    O=fh-lausitz                    O=fh-lausitz
    L=Senftenberg                   L=Senftenberg
    SP=Brandenburg                  SP=Brandenburg
    C=DE                            C=DE  

    - CR
    Administration | Certificate Management | View Enrollment
    Subject                  Issuer
    CN=cavpn                   N/A
    11 03/01/2009 16:36:05.950 SEV=5 CERT/99 RPT=4
    Enrollment Session Created
    Session/request/ca cert handles: 3/7/-1
    Request Method=Manual, Cert Type=Identity, Request Type=Initial
    Subject DN: CN=cavpn,O=fh-mydomain,L=Senftenberg,ST=Brandenburg,C=DE,OU=hrz
    328 03/01/2009 17:04:37.080 SEV=4 CERT/31 RPT=6
    Unable to complete certificate chain, reason = Incomplete chain
    $  openssl x509 -text -in cavpn_1.crt | egrep "Serial|Issuer:|Subject:"
            Serial Number: 4 (0x4)
            Issuer: C=DE, ST=Brandenburg, L=Senftenberg, O=fh-mydomain, OU=hrz, CN=cavpn/
            Subject: CN=cavpn, OU=hrz, O=fh-mydomain, L=Senftenberg, ST=Brandenburg, C=DE/


    Can that be the cause for this problem?
    Any suggestion?

    debian etch
    xca--0.6.3 (cannot use 0.6.4)

    Regards Trosten

    • TorstenL

      TorstenL - 2009-03-02

      sorry s/foo/mydomain/ was incomplete...


    • Christian Hohnstaedt

      "ST=Brandenburg" is the same as "SP=Brandenburg" they
      are just different abbreviations for "State or Province name"

      The CA certificate is installed on the Cisco, right  ?

      If you don't mind, you may send me the certificates
      and I'll have a look.

    • TorstenL

      TorstenL - 2009-03-02

      Thank you.

      You can find test-certificates on:

      notes on: descr.txt

      Regards Torsrten

      • Christian Hohnstaedt

        I noticed that the Cisco certificate has the same issuer and subject distinguished name; in different order
        but identical otherwise. Maybe Cisco assumes a selfsigned certificate because issuer and subject are the same,
        or it can't find the CA certificate, because it finds his own certificate while searching for the CA cert by name.

        My first strong suggestion: Create a new request on the Cisco and choose a "CommonName" different from "cavpn".
        How about "Cisco300 VPN gateway" ?

        You need to install at least 3 CA certificates on the Cisco:
        the root CA and all intermediate CAs (if any) up to the "cahrz",
        the "cahrz" itself and the "cavpn".
        Otherwise the Cisco can't build the certificate chain up to the root CA.



    • TorstenL

      TorstenL - 2009-03-02

      Thank you.
      I am already installed all certificate.
      Now i create e new request with CN=cisco3030
      but cisco give me the same errormessage:

      cisco enroll:
        -> pkcs0008.txt vpn3030_8CR.pem
      xca:   sig: cavpn
        export PEM  -> cisco3030.crt

      cisco install:
        -> Error installing identity certificate: Invalid certificate chain.

      List installed CA:
      Subject Issuer  Expiration      SCEP Issuer     Actions
      cahrz at fh-mydomain     CA at fh-mydomain        02/27/2017      No      View | Configure | Delete
      CA at fh-mydomain        CA at fh-mydomain        02/27/2019      No      View | Configure | Delete
      cavpn at fh-mydomain     cahrz at fh-mydomain     02/28/2013      No      View | Configure | Delete

      $ openssl x509 -text -in cisco3030.crt | egrep "Serial|Issuer:|Subject:" | sed "s/foo/mydomain/g"
              Serial Number: 5 (0x5)
              Issuer: C=DE, ST=Brandenburg, L=Senftenberg, O=fh-mydomain, OU=hrz, CN=cavpn/
              Subject: CN=cisco3030, OU=hrz, O=fh-mydomain, L=Senftenberg, ST=Brandenburg, C=DE/

      Any Suggestion?
      I have copied CR and CA to webspace.

      Regards Torsten.

    • TorstenL

      TorstenL - 2009-03-09

      Problem solved. (SHA512 -> SHA1)

      regards Toraten


      - install CA into CiscoVPN3000
        - Install certificate obtained via enrollment :

          Error installing identity certificate: Invalid certificate chain.

      - ciscovpn cannot handle certificate which signed with sha256 (like windows...)
        s. [17][18]

      - do sign each! certificate (in this chain) with hash-algo sha1
      - This can be set as default for all signing operations by the options dialog.

      [17] Problem with self-created root CA
      [18] Help about SHA256

      • Christian Hohnstaedt

        Because of the many problems, the default hash algorithm is reset from SHA2 to SHA1
        in the next version.

        Btw:  "Invalid certificate chain" is a very poor and misleading error message to find this problem.


Log in to post a comment.