08-14-2016 02:04 PM - edited 02-21-2020 05:53 AM
Created a CSR, obtained the certificate files, uploaded them to ASA505. Three certs in the CA Certificates; one in the Identify Certificate. All seems just wonderful. Now to make use of the SSL certs: when trying to associate the certificate to the Interface in the section SSL settings, we get an error "
[OK] ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
[ERROR] ssl trust-point ASDM_TrustPoint5 outside
Trustpoint not enrolled. Please enroll trustpoint and try again.
The cert appears in the drop down list for selection, why the error? How to clear it?
Solved! Go to Solution.
08-15-2016 04:25 PM
Hi Stewart Buswell,
I have seen this issue when starting the CSR request through the cli using the configuration of enrollment terminal and then going to the ASDM and adding the identity certificate without using the command crypto ca enroll through the cli.
In this case if you are using the CLI/ASDM you can follow this guide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98596-asa-8-x-3rdpartyvendorcert.html
And the way to resolve this will be generation a new CSR on the ASDM using the same keypair and install the certificate over that trustpoint. After applying the cert to the ssl you can remove the old one that was failing.
Hope this info helps!!
Rate if helps you!!
-JP-
08-15-2016 04:25 PM
Hi Stewart Buswell,
I have seen this issue when starting the CSR request through the cli using the configuration of enrollment terminal and then going to the ASDM and adding the identity certificate without using the command crypto ca enroll through the cli.
In this case if you are using the CLI/ASDM you can follow this guide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98596-asa-8-x-3rdpartyvendorcert.html
And the way to resolve this will be generation a new CSR on the ASDM using the same keypair and install the certificate over that trustpoint. After applying the cert to the ssl you can remove the old one that was failing.
Hope this info helps!!
Rate if helps you!!
-JP-
02-15-2018 06:46 AM
I just want to add here what ended up for me with this message and how I resolved it. Since I received a total of 4 cert's, 3 for the CA and one for the identity, I made the mistake of not paying attention to the details of the instructions given. Adding the 3 CA certs with the following command worked fine.
crypto ca authenticate SSL-Trustpoint-x
The mistake I made was using this same command for the identity. It needs to be.
crypto ca import SSL-Trustpoint certificate
To recover from the mistake one must delete the trustpoint and associated certificate.
no crypto ca trustpoint SSL-Trustpoint
Add it back again with the exact same parameters as you did when you generated the CSR.
The second time through, when you do this.
crypto ca enroll SSL-Trustpoint
Simply answer no to the question about displaying the CSR on the console. Then proceed with the import as above, and the assignment of the trustpoint to the ssl process.
ssl trustpoint SSL-Trustpoint
08-19-2016 10:29 AM
The reinstall seemed to work, though I have no idea what the issue was with the first attempt! I did it the same way, with one modification in the CSR. The State was CA and I understand it needs to be California. Other than that I loaded the same certificate and all is well! Thanks. - Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide