ICA not shown when trying to sign request
-
Hi there!
We have an external CA imported, which is used to sign certificte requests for VPN.
Now after a few months, I need to sign the request of a new client and the ICA-Cert is not shown anymore in "Sign a Certificate signing request".
The CA which signed the ICA is shown and the internal.
Both CA and ICA are valid. -
Neither have expired?
This is in 2.4.5p1 and was previously also?
Steve
-
Its 2.4.5p1, the certs expire in 18 Months.
I don't know when i updated to this version, can't really tell, when this behaviour occured first.
Even re-importing the ICA didn't work.
My problem while I need it this way is, Windows-Computers get their machine cert from AD, which is used for Auth VPN IPSec Mobile on the PF.
MACs don't get their cert from AD, so I inported the AD ICA to the PF and create and sign the certs for MAC on th PF.I managed to manually sign the request created on the PF in the AD by setting all the additional attributes I use in IPSec Mobiles. So at the moment, there is no time critical pressure, but I want to know what happened to my ICA-cert...
-
Can you see ICA on the System / Cert Manager / CAs page?
Could you show the
openssl x509 -in icacert.crt -text -noout
output? -
@viktor_g said in ICA not shown when trying to sign request:
x509 -in icacert.crt -text -noout
Certificate: Data: Version: 3 (0x2) Serial Number: 36:00:01:bc:8b:70:7a:1d:79:d8:c7:07:77:00:01:00:01:bc:8b Signature Algorithm: sha256WithRSAEncryption Issuer: DC = local, DC =<removed>, CN = <removed> Validity Not Before: Feb 8 08:11:23 2021 GMT Not After : Feb 8 08:21:23 2023 GMT Subject: DC = local, DC = <removed>, CN = <removed> Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: <removed> Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.1: ..... 1.3.6.1.4.1.311.21.2: ..\&..".4...tF......\\ X509v3 Subject Key Identifier: <removed> . .S.u.b.C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: <removed> X509v3 CRL Distribution Points: Full Name: URI:<removed> Authority Information Access: CA Issuers - URI:<removed> Signature Algorithm: sha256WithRSAEncryption <removed>
-
@it_ib Please check that you have private key for this CA
-
@viktor_g
I could export the cert with key from AD and split it.
But I didn't need to import the PK before.
The field says "Optional".
It worked before without PK. -
@it_ib You need the private CA key to sign the CSR
Sign a Certificate Signing Request
Signing a certificate signing request (CSR) is a special process which uses an internal CA on the firewall to sign a CSR and turn it into a full-fledged certificate.The following options are available when signing a CSR:
CA to sign with
The CA on the firewall which will sign this CSR. This must be an internal CA (private key present).