Hello everybody,
I am having an issue with using my own CA.
I have the certificates from the CA and sub-CA at hand in all kinds of formats (.der, .pem, .p12)
- I've created the trustpoint (MAINCA) in ASA via CLI and provided details (subject-name, fqdn, enrollment terminal, NO SERIAL)
- I've generated the CSR on the ASA from CLI with no problems (enroll the trustpoint).
- I've saved the CLI output of the CSR to a file
- I let the sub-CA process the CSR - and the CA has processed it as well just to give it a try
- I've the Certificate ready formated as .der and .pem
As mentioned in Cisco Documentation I now have to authenticate the trustpoint with
crypto ca authenticate MAINCA
where the trustpoint-name is the same as the one from creating a trustpoint just a little earlier.
- I can paste the characters from the .pem-file of either, the CA or the sub-CA with no problem at all
- I finish as asked with quit
- I get the info that certificate has a fingerprint - ok - and if I would like to accept the certificate - yes is what I entered.
The process is, however, aborted with:
% Error in saving certificate: status = FAIL
I started a debug as well - but I don't get it
CRYPTO_PKI: can not set ca cert object (0x701)
CRYPTO_PKI: status = 65535: failed to process RA certificate
CRYPTO_PKI: Cleaned PKI cache successfully
CRYPTO_PKI: Starting to build the PKI cache
CRYPTO_PKI: Failed to retrieve router cert
CRYPTO_PKI: Failed to cache certificate chain for the trustpoint MAINCA or none available
CRYPTO_PKI: Failed to retrieve trusted issuers list or no trustpoint configured
Can somebody clear the sky, please?
