Solved: Re: Trustpoint expired

CiscoMedMed · ‎04-22-2021

I got a message that a trust point has expired. I don't see any impact so far. I can ssh to manage

the asa, I can connect via anyconnect, manage via ASDM. How can I verify if anything might be

impacted that I just haven't yet considered.

<185>Apr 22 2021 21:46:31 BOS-ASA01 : %ASA-1-717055: The <CA> certificate in the trustpoint <CAPF_4> has expired. Expiration <12:31:43 PDT Jul 17 2019> Subject Name <l=BOSTON,st=MASS,cn=CAPF-453ee840,ou=IT,o=ACME Mortgage,c=US> Issuer Name <l=BOSTON,st=MASS,cn=CAPF-453ee840,ou=IT,o=ACME Mortgage,c=US> Serial Number <xxxxxxxxC5336C3CB8C78C06E73B3E5A1>

Marvin Rhoads · ‎04-23-2021

It depends on how and if the certificate associated with the trustpoint is being used. Since it appears to be a CA certificate, the most common use is to present the issuing CA certificate for an identity certificate used for remote access VPN so that users can verify a complete trust chain. Other less-common uses include using the ASA as a SCEP proxy to forward certificate enrollment requests to the CA. Again, only you can tell use if any of those apply to your situation. If you are able to share the complete config, we might be able to assist in more detail.

View solution in original post

Marvin Rhoads · ‎04-23-2021

It depends on how and if the certificate associated with the trustpoint is being used. Since it appears to be a CA certificate, the most common use is to present the issuing CA certificate for an identity certificate used for remote access VPN so that users can verify a complete trust chain. Other less-common uses include using the ASA as a SCEP proxy to forward certificate enrollment requests to the CA. Again, only you can tell use if any of those apply to your situation. If you are able to share the complete config, we might be able to assist in more detail.