02-05-2013 06:28 AM - edited 03-11-2019 05:56 PM
I am a little uncertain if I am required to do anything else. Or perhaps I am misunderstanding and the Identity cert doesn't need the same trustpoint as the CA cert?
I get a FAIL message when I run the crypto ca authenticate command for my certificate. It is installed. It is a Verisign certificate. I have a Verisign Root certificate Trustpoint CERT that is also installed on the ASA, but as you see it has a different trustpoint name, does this matter or is it just significant to that particular certificate?
I am trying to renew an ID certificate.
ASA(config)# crypto ca authenticate CERT2
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
quit
INFO: Certificate has the following attributes:
Fingerprint: <snip>
Do you accept this certificate? [yes/no]: y
Trustpoint CERT2 is a subordinate CA and holds a non self-signed certificate.
Trustpoint CERT2 is a subordinate CA.
but certificate is not a CA certificate.
Manual verification required
Trustpoint CA certificate accepted.
ERROR: Certificate already exists in the trustpoint CERT2
% Error in saving certificate: status = FAIL
02-05-2013 09:30 AM
I don't fully understand your issue, but
To install identity certificate you should have trustpoint, authenticated with CA, wich directly issued your identity certificate. It doesn't matter for asa if your CA is root or subordinate 'cause it doesn't check the whole chaind by default.
So you have to:
1. Create a trustpoint.
2. Authenticate this trustpoint with some CA certificate (root or subordinate), using crypto ca authenticate command. This is cert of CA, wich will issue your identity certificate.
3. (optional) Issue request for identity certificate (wich i assume you've already done) using crypto ca enroll command.
4. Install identity certificate using crypto ca import command.
What you're trying to do in the output above is adding another CA certificate for trustpoint. Is that what you want to do?
02-06-2013 01:29 AM
The CA root is installed and authenticated. I have now installed the Identity certificate, and am wondering if it is required that the trustpoint for the identity certificate and the CA certificate need to be the same.
02-06-2013 02:08 AM
Of course they should be the same. If you try to install identity certificate for trustpoint, that is not authenticated with CA cert (wich issued that identity certificate), the operation will fail, cause chain won't build.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide