Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19091
Views
25
Helpful
8
Replies

ASA Certs and Trustpoints

Go to solution
Craddockc
Level 3
Level 3

‎10-15-2018 12:06 PM - edited ‎02-21-2020 08:21 AM

Community,

 

I am trying to delete an identity cert in my ASA that is expired. However, when I try the ASA states that the Trustpoint "is in use" and thus is not allowing me to. Upon further investigation I found that one of the CA Certs is tied to the Trustpoint in question. I cannot see any way to change the Trustpoint. My questions are these:

 

1) What exactly is a Truspoint?

2) Can I just remove the CA Cert? I dont think the ASA is using the CA Certs to auth the clients that connect to the Firewall using Anyconnect is it? From what I understand, the ASA presents the ID Cert to the client machine as proof of a trusted connection. Im not exactly sure the use case for a CA cert if the firewall isnt having to trust any certs presented to it.

 

Any help you can provide would be swell,

 

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-15-2018 12:34 PM

1) Trustpoint is a container to hold an identity and intermediate/CA certificate. Trustpoint makes it easy to reference what identity certificate should be used for what purpose. For ssl/https server functionality, the "ssl trust-point <Trustpoint-name>" tells the ASA what identity cert to present to an SSL client.

 

2) ASA presents the entire chain during an SSL/TLS transaction if it has all the certs in the hierarchy available. In many cases, the client may only trust the Root CA but not the sub/intermediate CA that issued the ASA cert. In such a case, it is imperative that the ASA send the entire chain so that the client can trust the cert based on the cert hierarchy ("I trust the root, hence any cert issued by subCA is trusted by me") . IF your CA certs are in a separate trustpoint from the identity, you can delete that trustpoint and re-import the CA cert again. If you want to delete the intermediate CA and the identity cert also exists within the same trustpoint, you cannot delete the CA cert alone. You have to remove the entire trustpoint, which removes the identity cert also. Best export the identity cert in pkcs12 format before you make any changes to its trustpoint. 

View solution in original post

8 Replies 8

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-15-2018 12:34 PM

1) Trustpoint is a container to hold an identity and intermediate/CA certificate. Trustpoint makes it easy to reference what identity certificate should be used for what purpose. For ssl/https server functionality, the "ssl trust-point <Trustpoint-name>" tells the ASA what identity cert to present to an SSL client.

 

2) ASA presents the entire chain during an SSL/TLS transaction if it has all the certs in the hierarchy available. In many cases, the client may only trust the Root CA but not the sub/intermediate CA that issued the ASA cert. In such a case, it is imperative that the ASA send the entire chain so that the client can trust the cert based on the cert hierarchy ("I trust the root, hence any cert issued by subCA is trusted by me") . IF your CA certs are in a separate trustpoint from the identity, you can delete that trustpoint and re-import the CA cert again. If you want to delete the intermediate CA and the identity cert also exists within the same trustpoint, you cannot delete the CA cert alone. You have to remove the entire trustpoint, which removes the identity cert also. Best export the identity cert in pkcs12 format before you make any changes to its trustpoint. 

Go to solution
Craddockc
Level 3
Level 3
In response to Rahul Govindan

‎10-15-2018 12:40 PM - edited ‎10-15-2018 12:45 PM

Rahul,

 

Thank you for the response. So a "trustpoint" is a container that ties an ID Cert to a CA Cert, creating a "cert chain" the ASA can send to the Anyconnect client? Should the ID Cert and the CA Cert always be in the same TP?

 

 

Thanks.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Craddockc

‎10-15-2018 12:45 PM

Replied here: https://community.cisco.com/t5/vpn-and-anyconnect/multiple-certificates-on-asa/m-p/3725791#M147075

 

The client looks for 4 things to validate server cert:

1) Issuing from and to validation

2) FQDN matches Subject Alternative Name (SAN) or Subject CN name

3) Cert issued by trusted CA. IF it is a local CA, the public key or cert of CA should be in  the trusted store

4) Cert should have the right KU and EKU if this value if populated by the CA. 

Go to solution
Craddockc
Level 3
Level 3
In response to Rahul Govindan

‎10-15-2018 12:51 PM

Rahul,

 

I genuinely appreciate your responses. I apologize as we may have been responding simultaneously. I have one more question.

The way I am understanding this is that the ID Cert and the CA cert should usually be in the same TP, this way the ASA can present the entire chain to the client. Otherwise, only the ID cert will be used, which may or may not be completely trusted by the client. Is that correct?

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Craddockc

‎10-15-2018 12:57 PM

Not necessarily. You can have a all of them on separate trustpoints and the ASA will automatically build a chain and send it to the client. You can have:

 

TP1

ID+Intermediate

TP2

SubCA1

TP3

Root

 

or you can have

TP1

ID

TP2

Intermediate

TP3

SubCA1

TP4

Root

 

In both cases above, the ASA sends the entire chain up to the Root CA. A trustpoint can hold only a max of 1 ID and 1 CA cert, so for large CA's (GoDaddy for example) you usually cannot have all certs in a single trustpoint. Hence, this intelligence is automatically built into the ASA.

Go to solution
Craddockc
Level 3
Level 3
In response to Rahul Govindan

‎10-15-2018 01:02 PM

Rahul,

 

Thanks! In my current situation I have an ID cert by GoDaddy in TP2 but the CA Cert (also by GoDaddy) is in TP0. This is not a problem? The ASA will package both up and send those to the client automatically?

 

Thanks.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Craddockc

‎10-15-2018 01:45 PM

Yes, this should work. You can import the GoDaddy cert into TP2 also if you wanted. But this is not necessary. 

0 Helpful

Go to solution
MJ666
Level 1
Level 1
In response to Rahul Govindan

‎03-13-2024 11:12 AM

@Rahul Govindan  

I have an SSL-Certificate alarm from PRTG correctly highlighting the "Unable to check revocation status"

Christory_0-1710353662654.png

 

 

with <sh crypto ca certificates> I can see that the issuing or root certification authority or the root certification authority is available to be queried.


I can also see the certificate via Cisco ASDM>Configuration>Remote Access VPN>Certificate Management>CA Certificates.
I don't understand why I've been getting this alarm for 1 week on 3 out of 20 ASA firewalls.

 

I use the following command on the firewall in the CLI and if I do a firewall rule import from the firewall and then a deployment, the parameter is overwritten:     ssl trustp-point My_trustpoint

 

conf t
dynamic-access-policy-confi activate
vpn-addr-assign local reuse-delay 0
no ssl trust-point <My_trustpoint>

 

I don't understand why (CSM) Cisco Security Manager keeps deleting the last command line and unfortunately, I haven't found the corner of the CSM where this is configured....


This is probl the reason why messages appear in the prtg, coz the verified CA is not the right one or it is, by default, self-signed certificates on firewalls.

 

the chain is unfortunately not routed to internet." Unable to resolve domain name" is the message I got from ssllabs.com

 

Is there any workaround to validate or compare my settings?

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card