Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3443
Views
0
Helpful
3
Replies

Identity Certificate Installation

Marius Gunnerud
VIP
VIP

‎02-05-2013 06:28 AM - edited ‎03-11-2019 05:56 PM

I am a little uncertain if I am required to do anything else.  Or perhaps I am misunderstanding and the Identity cert doesn't need the same trustpoint as the CA cert?


I get a FAIL message when I run the crypto ca authenticate command for my certificate.  It is installed.  It is a Verisign certificate.  I have a Verisign Root certificate Trustpoint CERT that is also installed on the ASA, but as you see it has a different trustpoint name, does this matter or is it just significant to that particular certificate?


I am trying to renew an ID certificate.


ASA(config)# crypto ca authenticate CERT2
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

<snip>


-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint:     <snip>
Do you accept this certificate? [yes/no]: y

Trustpoint CERT2 is a subordinate CA and holds a non self-signed certificate.

Trustpoint CERT2 is a subordinate CA.
but certificate is not a CA certificate.
Manual verification required

Trustpoint CA certificate accepted.
ERROR: Certificate already exists in the trustpoint CERT2
% Error in saving certificate: status = FAIL

--
Please remember to select a correct answer and rate helpful posts
Labels:
0 Helpful
3 Replies 3

Andrew Phirsov
Level 7
Level 7

‎02-05-2013 09:30 AM

I don't fully understand your issue, but

To install identity certificate you should have trustpoint, authenticated with CA, wich directly issued your identity certificate. It doesn't matter for asa if your CA is root or subordinate 'cause it doesn't check the whole chaind by default.

So you have to:

1. Create a trustpoint.

2. Authenticate this trustpoint with some CA certificate (root or subordinate), using crypto ca authenticate command. This is cert of CA, wich will issue your identity certificate.

3. (optional) Issue request for identity certificate (wich i assume you've already done) using crypto ca enroll command.

4.  Install identity certificate using crypto ca import command.

What you're trying to do in the output above is adding another CA certificate for trustpoint. Is that what you want to do?

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Andrew Phirsov

‎02-06-2013 01:29 AM

The CA root is installed and authenticated.  I have now installed the Identity certificate, and am wondering if it is required that the trustpoint for the identity certificate and the CA certificate need to be the same.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Marius Gunnerud

‎02-06-2013 02:08 AM

Of course they should be the same. If you try to install identity certificate for trustpoint, that is not authenticated with CA cert (wich issued that identity certificate), the operation will fail, cause chain won't build.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card