Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6277
Views
0
Helpful
3
Replies

Certificate enrollment URL for CA

pemasirid
Level 1
Level 1

‎11-24-2015 07:17 AM

Hi,

I was trying to renew my SSL certificate and did follow the following:

- created CSR and got the certificate from the 3rd party certificate vendor.

- authenticate the trustpoint:

when I trying to authenticate the trustpoint I got the error saying "ERROR: You must use 'no crypto ca trustpoint <trustpoint-name>' to delete the CA certificate first."  I have used the same trustpoint name which previous certificate was associate even when doing the CSR. Then I removed the trustpoint and tried to reauthenticate the trustpoint and got erroy saying "ERROR: You must specify an enrollment URL for this CA before
you can enroll with it.".

Can someone advise what is this enrollment URL exactly.?

Here is the Cisco document I followed 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98596-asa-8-x-3rdpartyvendorcert.html#step2

thanks in advance.

Labels:
0 Helpful
3 Replies 3

rvarelac
Level 7
Level 7

‎11-24-2015 03:47 PM

Hi 

Take a look  the following document and make sure under the trustopint created you have the command "enrollment terminal" included. 

https://supportforums.cisco.com/document/12524871/install-certificate-asa

Hope it helps

-Randy-

0 Helpful

pemasirid
Level 1
Level 1
In response to rvarelac

‎11-27-2015 01:14 PM

Hi Randy,

Thanks for your reply, I was not sure whether I have missed "enrollment terminal" comnad first time when I generate CSR. However we already got the certificate from CA server, then I regenerated the CSR with command "enrollment terminal" included, and was able to issue command authenticate trustpoint and paste the certificate, but still get below error:

xxx-asa1(config)# crypto ca authenticate myincommonkey.trustpoint
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint: 03771918 685b0d49 2f513250 f9f36f42
Do you accept this certificate? [yes/no]: yes
% Error in saving certificate: status = FAIL

As we are using the same truspoint name current certificate being used, do we need to revoke the certificate in order to install the new certificate which has the same trustpoint name.?

I am not sure what exact issue causing this error.?

thanks

0 Helpful

rvarelac
Level 7
Level 7
In response to pemasirid

‎11-30-2015 03:09 PM

It seems the certificate can be the issue, not the ASA configuration.  The following debugs can provide you more information:

*Debug crypto ca 255

*Debug crypto ca transactions 255

*Debug crypto ca messages 255 

They need to be enabled while you import the certificate, alternative if you have a Cisco contract you can open a TAC ticket and we will be gald to help you. 

- Randy-

0 Helpful
Customers Also Viewed These Support Documents