Solved: Re: Hi Stewart Buswell,

Hieronymous Merkin · ‎08-14-2016

Created a CSR, obtained the certificate files, uploaded them to ASA505. Three certs in the CA Certificates; one in the Identify Certificate. All seems just wonderful. Now to make use of the SSL certs: when trying to associate the certificate to the Interface in the section SSL settings, we get an error "

[OK] ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
[ERROR] ssl trust-point ASDM_TrustPoint5 outside
Trustpoint not enrolled. Please enroll trustpoint and try again.

The cert appears in the drop down list for selection, why the error? How to clear it?

JP Miranda Z · ‎08-15-2016

Hi Stewart Buswell,

I have seen this issue when starting the CSR request through the cli using the configuration of enrollment terminal and then going to the ASDM and adding the identity certificate without using the command crypto ca enroll through the cli.

In this case if you are using the CLI/ASDM you can follow this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98596-asa-8-x-3rdpartyvendorcert.html

And the way to resolve this will be generation a new CSR on the ASDM using the same keypair and install the certificate over that trustpoint. After applying the cert to the ssl you can remove the old one that was failing.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

JP Miranda Z · ‎08-15-2016

Hi Stewart Buswell,

I have seen this issue when starting the CSR request through the cli using the configuration of enrollment terminal and then going to the ASDM and adding the identity certificate without using the command crypto ca enroll through the cli.

In this case if you are using the CLI/ASDM you can follow this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98596-asa-8-x-3rdpartyvendorcert.html

And the way to resolve this will be generation a new CSR on the ASDM using the same keypair and install the certificate over that trustpoint. After applying the cert to the ssl you can remove the old one that was failing.

Hope this info helps!!

Rate if helps you!!

-JP-

Garry Cross · ‎02-15-2018

I just want to add here what ended up for me with this message and how I resolved it. Since I received a total of 4 cert's, 3 for the CA and one for the identity, I made the mistake of not paying attention to the details of the instructions given. Adding the 3 CA certs with the following command worked fine.

crypto ca authenticate SSL-Trustpoint-x

The mistake I made was using this same command for the identity. It needs to be.

crypto ca import SSL-Trustpoint certificate

To recover from the mistake one must delete the trustpoint and associated certificate.

no crypto ca trustpoint SSL-Trustpoint

Add it back again with the exact same parameters as you did when you generated the CSR.

The second time through, when you do this.

crypto ca enroll SSL-Trustpoint

Simply answer no to the question about displaying the CSR on the console. Then proceed with the import as above, and the assignment of the trustpoint to the ssl process.

ssl trustpoint SSL-Trustpoint

Hieronymous Merkin · ‎08-19-2016

The reinstall seemed to work, though I have no idea what the issue was with the first attempt! I did it the same way, with one modification in the CSR. The State was CA and I understand it needs to be California. Other than that I loaded the same certificate and all is well! Thanks. - Peter

ASA5505 enrollment error on SSL cert when applied to interface?