Guest

Preview Tool

Cisco Bug: CSCsl66538 - ASA "hardware accelerator encountered an error (Invalid PKCS Type)"

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.0(3)

Description (partial)

Symptom:

After migration of SSL Certificate from 3000 Concentrator to ASA,  can't import the SSL certificate into the ASA.  

When try to connect to the ASA via the SSL VPN, it fails with error message below:

"CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command SSL RSA Server Fin..."

Conditions:

Migration of SSL Certificate from 3000 Concentrator to ASA using the following steps, and try to connect to the ASA using the SSL VPN:

Export the certificate from the 3000: 

Administration | Certificate Management
 
Click on the Export on the SSL certificate for the public interface. 

You will have to put a password for that. 

Save that as a file. 

1) Open the exported file from the 3000 usign notepad. 

2) Open 3 notepad sessions for 3 different files that you will create. 

3) copy and the paste the first text string starting with  -----BEGIN ENCRYPTED PRIVATE KEY----- all the way till -----END ENCRYPTED PRIVATE KEY-----. The  -----BEGIN ENCRYPTED PRIVATE KEY----- and the ....END.... should be included in the file !!

4) Save this file as certpriv.txt

5) Copy and past the 2nd text string starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- (including both BEGIN and END). 

6) Save this file ans certpublic.txt

7) Repeate steps 5 - 6 for the 3rd text string starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- (including both BEGIN and END). 

8) Save this as certchain.txt

9)Run the following openssl command to combine the 3 files into a PKCS12 format.

openssl pkcs12 -in certpublic.txt -inkey certpriv.txt -nodes -passin pass:CiscoSSL -passout pass:CiscoSSL -export -out cert.p12 -cert certchain.txt

Here the password of file is CiscoSSL. 

10) Now convert the PKCS12 into base64 format: 

 openssl base64 -in cert.p12 -out asacert.p12
 
11) Now you should be able to import this file into the ASA using:

       crypto ca import  pkcs12 
 
12) Now enable the trustpoint for the outside interface: 

           ssl trust-point test outside
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.