topic Identity Certificate Installation in Network Security

Identity Certificate Installation

Marius Gunnerud — Tue, 12 Mar 2019 00:56:31 GMT

I am a little uncertain if I am required to do anything else. Or perhaps I am misunderstanding and the Identity cert doesn't need the same trustpoint as the CA cert?

I get a FAIL message when I run the crypto ca authenticate command for my certificate. It is installed. It is a Verisign certificate. I have a Verisign Root certificate Trustpoint CERT that is also installed on the ASA, but as you see it has a different trustpoint name, does this matter or is it just significant to that particular certificate?

I am trying to renew an ID certificate.

ASA(config)# crypto ca authenticate CERT2
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

<snip>

-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint: <snip>
Do you accept this certificate? [yes/no]: y

Trustpoint CERT2 is a subordinate CA and holds a non self-signed certificate.

Trustpoint CERT2 is a subordinate CA.
but certificate is not a CA certificate.
Manual verification required

Trustpoint CA certificate accepted.
ERROR: Certificate already exists in the trustpoint CERT2
% Error in saving certificate: status = FAIL

Identity Certificate Installation

Andrew Phirsov — Tue, 05 Feb 2013 17:30:21 GMT

I don't fully understand your issue, but

To install identity certificate you should have trustpoint, authenticated with CA, wich directly issued your identity certificate. It doesn't matter for asa if your CA is root or subordinate 'cause it doesn't check the whole chaind by default.

So you have to:

1. Create a trustpoint.

2. Authenticate this trustpoint with some CA certificate (root or subordinate), using crypto ca authenticate command. This is cert of CA, wich will issue your identity certificate.

3. (optional) Issue request for identity certificate (wich i assume you've already done) using crypto ca enroll command.

4. Install identity certificate using crypto ca import command.

What you're trying to do in the output above is adding another CA certificate for trustpoint. Is that what you want to do?

Identity Certificate Installation

Marius Gunnerud — Wed, 06 Feb 2013 09:29:39 GMT

The CA root is installed and authenticated. I have now installed the Identity certificate, and am wondering if it is required that the trustpoint for the identity certificate and the CA certificate need to be the same.

Re: Identity Certificate Installation

Andrew Phirsov — Wed, 06 Feb 2013 10:08:46 GMT

Of course they should be the same. If you try to install identity certificate for trustpoint, that is not authenticated with CA cert (wich issued that identity certificate), the operation will fail, cause chain won't build.