This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

8.305 - Problems with second Thawte certificate

Hello

We have one Thawte certificate for WAF and it's working fine.
Now we want to use a second Thawte certificate for Remote Access / Cisco VPN Client.
If we choose this certificate at the VPN configuration we get this message:

"The certificate of the CA that issued the 'Thawte_certificate_name' certificate is needed."

If we try to upload the CAs from Thawte at Certificate Authority we get:

"Storage already holds a certificate with the same fingerprint."

What can we do to get this certificate working?

Thanks

This thread was automatically locked due to age.

Parents

0 JonathanM over 13 years ago

Can you verify which Thawte CA Certificates you are importing? You will need to import both the Primary and the Secondary Intermediate CA Certificates. You can find a list of the Intermediates here:

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1384

There are unique Intermediate CA Certificates for each Thawte SSL product. So, please make sure that you are selecting the correct Intermediates.

You might receive the "Storage already holds a certificate with the same fingerprint" if the Secondary and /or Primary Intermediate already exists.

And, if you need to find the Thawte Root certificate, you can find it here:
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1530
Cancel
Vote Up 0 Vote Down

Cancel

0 chk over 13 years ago in reply to JonathanM

Hi there

If we use this certificate for the user portal, everything is working fine.
So i think we've imported the cert and CAs correct.

This is what we get when we try to connect through Cisco VPN:

2012:09:05-11:45:06 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: responding to Main Mode from unknown peer 178.X.X.X 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: NAT-Traversal: Result using RFC 3947: peer is NATed 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: ignoring informational payload, type IPSEC_INITIAL_CONTACT 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: Peer ID is ID_DER_ASN1_DN: 'C=de, L=City, O=Company, CN=Name, Firstname' 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: crl not found 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: certificate status unknown 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: we have a cert and are sending it 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: Dead Peer Detection (RFC 3706) enabled 

2012:09:05-11:45:07 astaro-1 pluto[1549]: | NAT-T: new mapping 178.X.X.X:500/58961) 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X:58961 #8: sent MR3, ISAKMP SA established 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X:58961 #8: sending XAUTH request 

2012:09:05-11:45:10 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:13 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:16 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:29 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange

Reply

0 chk over 13 years ago in reply to JonathanM

2012:09:05-11:45:06 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: responding to Main Mode from unknown peer 178.X.X.X 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: NAT-Traversal: Result using RFC 3947: peer is NATed 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: ignoring informational payload, type IPSEC_INITIAL_CONTACT 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: Peer ID is ID_DER_ASN1_DN: 'C=de, L=City, O=Company, CN=Name, Firstname' 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: crl not found 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: certificate status unknown 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: we have a cert and are sending it 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: Dead Peer Detection (RFC 3706) enabled 

2012:09:05-11:45:07 astaro-1 pluto[1549]: | NAT-T: new mapping 178.X.X.X:500/58961) 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X:58961 #8: sent MR3, ISAKMP SA established 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X:58961 #8: sending XAUTH request 

2012:09:05-11:45:10 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:13 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:16 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:29 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange

Children

No Data