I agree with Phillip. You must have the entire chain imported on the ASA. The Root CA, and if you are using a subordinate CA for issuing must be imported as a CA certificate. The Identity certificate will be used during authentication.

folks

thanks for all your replies, its greatly appreciated

i currently have the identity certificate and enterprise associated with the same trustpoint

are you telling me I need to have the intermediate and root certificates also loaded onto the ASA

if so, do I need to create a new trustpoint for the root and a new one for the intermediate?

I was sure I read that the ASA only needs the identity and issuing certificates, I've had a look but can't see any guides for installing certificate chains so I'd be grateful if you can point me in the right direction

thanks again


 

andre

i've got it working again

there were several issues that caused me problems

i created two new trustpoints and dropped the intermediate and root certificates into them

I had left out the trustpoint from the crypto map, once I got these added it started working

interestingly I was working from an example in the cisco asa all in one next gen firewall book and while it mentions adding in the identity and issuing certs it doesn't touch on the intermediate or root certs

thanks for all your help and patience

@Philip D'Ath  hi Philip,

I have an SSL certificate alarm from PRTG that correctly highlights the "Unable to check revocation status"

with <sh crypto ca certificates> I can see that the issuing or root certificate authority or the root certificate authority is available to be queried.
I can also see the certificate via Cisco ASDM
>Configuration>VPN remote access>Certificate management>CA certificates.
I don't understand why I've been getting this alarm for a week on 3 of the 20 ASA firewalls.
I use the following command on the firewall in the CLI and if I import a firewall rule from the firewall and then perform a deployment, the parameter is overwritten: ssl trustp-point My_trustpoint

conf t
dynamic-access-policy-confi activate
vpn-addr-assign local reuse-delay 0
no ssl trust-point <My_trustpoint>
I don't understand why (CSM) Cisco Security Manager keeps deleting the last command line and unfortunately, I haven't found the corner of the CSM where this is configured....
This is probably the reason why messages appear in the prtg, because the verified certificate authority is not the right one or it is, by default, self-signed certificates on firewalls.
Unfortunately, our chain is not routed to the Internet". Unable to resolve the domain name" is the message I received from ssllabs.com.
Is there a way to validate or compare my parameters?

marius

apologies but i've only seen your query now

i created the trustpoint as normal but used the enrolment terminal command

i imported the the CA certificate using the crypto pki authenticate [TRUSTPOINT] name and pasted the certificate in from notepad 

i generated the csr with the crypto pki enroll [TRUSTPOINT] name command and then imported the certificate with the crypto pki import [TRUSTPOINT] name command after copying it from notepad

you can view the certificates with the command show crypto ca certificates [TRUSTPOINT] name 

hope this helps and again, apologies