ASA 5540 Certificate Problem

rutledgec · ‎06-02-2011

Our organization has two 5540's in an Active/Standby config. Recently, I've tried to setup SSL VPN and am having some issues with the certificates and trustpoints.

The steps I took in ASDM were:

1. Imported the Thawte Primary and Secondary CA certificates.

2. Generated a new Private Key (2048)

3. Generated a CSR

4. Saved the config

I sent the CSR off and received the certificate. I went to import it, and the CSR was missing. I also noticed the Primary and Secondary CA certs were gone too. However, the Trustpoints were still in the config with no certs attached. See below:

crypto ca trustpoint ThawtePrimaryCA
enrollment terminal
crl configure
crypto ca trustpoint ThawteSecondaryCA
enrollment terminal
crl configure

crypto ca trustpoint Thawte_VPN_SSL
enrollment terminal
fqdn xxx.xxx.com

subject-name CN=xxx.xxx.com,OU=Organizational Unit,O=Organization,C=US,St=State,L=City
keypair ssl-vpn-key
crl configure

I first thought I had just forgot to save the config or something like that.

I decided to try once more. I imported the two CA certs and generated a new CSR and saved the config. I answered the CSR and it seemed to work. I could visit https://xxx.xxx.com and did not receive a certificate error.

A week or so later, I noticed that I was receiving certificate errors and I took a look. Sure enough, the Primary and Secondary CA certs were gone from ASDM and the config look liked the config above.

I also noticed that an AnyConnect image I had loaded into flash was gone.

I'm running:

Cisco Adaptive Security Appliance Software Version 8.0(4)32
Device Manager Version 6.1(5)57

Any help or ideas would be appreciated.

andamani · ‎06-02-2011

hi,

Could you please check for "sh cry ca cert" and check if the certificates were present on the ASA.

hope this helps.

regards,
Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

rutledgec · ‎06-13-2011

When I issue that command I only see the certificate that I answered the CSR with. I don't see the Primary and Secondary Thawte certificates that I originally imported.

andamani · ‎06-14-2011

hmm.. that means that the cert is not present. can you try importing the certs again and check with the command?

hope this helps.

regards,
Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

rutledgec · ‎06-14-2011

Yea, I did try that the first time it happened. Now I've got two sets of trustpoints. See the output of 'sh crypto ca trustpoints'. The first time, I named the Trustpoints, the second time, I went with defaults.

Trustpoint ThawtePrimaryCA:
Not authenticated.

Trustpoint ThawteSecondaryCA:
Not authenticated.

Trustpoint Thawte_VPN_SSL:
Not authenticated.

Trustpoint ASDM_TrustPoint0:
Not authenticated.

Trustpoint ASDM_TrustPoint1:
Not authenticated.

Trustpoint ASDM_TrustPoint2:
Not authenticated.

FlorianCokl · ‎05-09-2015

I had the same problem that a trustpoint ended up being Not authenticated if done through the ASDM.

So I decided to do it through CLI.

Create the trustpoint with enrollment through terminal.
Enroll through terminal and copy the csr-output in a text-file.
With the CSR-text-file get the certificate from your CA - make sure it's pem-formated.
Authenticate the trustpoint through terminal.

Kind Regards