cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3442
Views
0
Helpful
3
Replies

Identity Certificate Installation

I am a little uncertain if I am required to do anything else.  Or perhaps I am misunderstanding and the Identity cert doesn't need the same trustpoint as the CA cert?


I get a FAIL message when I run the crypto ca authenticate command for my certificate.  It is installed.  It is a Verisign certificate.  I have a Verisign Root certificate Trustpoint CERT that is also installed on the ASA, but as you see it has a different trustpoint name, does this matter or is it just significant to that particular certificate?


I am trying to renew an ID certificate.


ASA(config)# crypto ca authenticate CERT2
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

<snip>


-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint:     <snip>
Do you accept this certificate? [yes/no]: y

Trustpoint CERT2 is a subordinate CA and holds a non self-signed certificate.

Trustpoint CERT2 is a subordinate CA.
but certificate is not a CA certificate.
Manual verification required

Trustpoint CA certificate accepted.
ERROR: Certificate already exists in the trustpoint CERT2
% Error in saving certificate: status = FAIL

--
Please remember to select a correct answer and rate helpful posts
3 Replies 3

Andrew Phirsov
Level 7
Level 7

I don't fully understand your issue, but

To install identity certificate you should have trustpoint, authenticated with CA, wich directly issued your identity certificate. It doesn't matter for asa if your CA is root or subordinate 'cause it doesn't check the whole chaind by default.

So you have to:

1. Create a trustpoint.

2. Authenticate this trustpoint with some CA certificate (root or subordinate), using crypto ca authenticate command. This is cert of CA, wich will issue your identity certificate.

3. (optional) Issue request for identity certificate (wich i assume you've already done) using crypto ca enroll command.

4.  Install identity certificate using crypto ca import command.

What you're trying to do in the output above is adding another CA certificate for trustpoint. Is that what you want to do?

The CA root is installed and authenticated.  I have now installed the Identity certificate, and am wondering if it is required that the trustpoint for the identity certificate and the CA certificate need to be the same.

--
Please remember to select a correct answer and rate helpful posts

Of course they should be the same. If you try to install identity certificate for trustpoint, that is not authenticated with CA cert (wich issued that identity certificate), the operation will fail, cause chain won't build.

Review Cisco Networking for a $25 gift card