06-02-2011 05:18 AM
Our organization has two 5540's in an Active/Standby config. Recently, I've tried to setup SSL VPN and am having some issues with the certificates and trustpoints.
The steps I took in ASDM were:
1. Imported the Thawte Primary and Secondary CA certificates.
2. Generated a new Private Key (2048)
3. Generated a CSR
4. Saved the config
I sent the CSR off and received the certificate. I went to import it, and the CSR was missing. I also noticed the Primary and Secondary CA certs were gone too. However, the Trustpoints were still in the config with no certs attached. See below:
crypto ca trustpoint ThawtePrimaryCA
enrollment terminal
crl configure
crypto ca trustpoint ThawteSecondaryCA
enrollment terminal
crl configure
crypto ca trustpoint Thawte_VPN_SSL
enrollment terminal
fqdn xxx.xxx.com
subject-name CN=xxx.xxx.com,OU=Organizational Unit,O=Organization,C=US,St=State,L=City
keypair ssl-vpn-key
crl configure
I first thought I had just forgot to save the config or something like that.
I decided to try once more. I imported the two CA certs and generated a new CSR and saved the config. I answered the CSR and it seemed to work. I could visit https://xxx.xxx.com and did not receive a certificate error.
A week or so later, I noticed that I was receiving certificate errors and I took a look. Sure enough, the Primary and Secondary CA certs were gone from ASDM and the config look liked the config above.
I also noticed that an AnyConnect image I had loaded into flash was gone.
I'm running:
Cisco Adaptive Security Appliance Software Version 8.0(4)32
Device Manager Version 6.1(5)57
Any help or ideas would be appreciated.
06-02-2011 09:34 AM
hi,
Could you please check for "sh cry ca cert" and check if the certificates were present on the ASA.
hope this helps.
regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
06-13-2011 08:02 AM
When I issue that command I only see the certificate that I answered the CSR with. I don't see the Primary and Secondary Thawte certificates that I originally imported.
06-14-2011 12:18 AM
hmm.. that means that the cert is not present. can you try importing the certs again and check with the command?
hope this helps.
regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
06-14-2011 12:52 PM
Yea, I did try that the first time it happened. Now I've got two sets of trustpoints. See the output of 'sh crypto ca trustpoints'. The first time, I named the Trustpoints, the second time, I went with defaults.
Trustpoint ThawtePrimaryCA:
Not authenticated.
Trustpoint ThawteSecondaryCA:
Not authenticated.
Trustpoint Thawte_VPN_SSL:
Not authenticated.
Trustpoint ASDM_TrustPoint0:
Not authenticated.
Trustpoint ASDM_TrustPoint1:
Not authenticated.
Trustpoint ASDM_TrustPoint2:
Not authenticated.
05-09-2015 05:55 AM
I had the same problem that a trustpoint ended up being Not authenticated if done through the ASDM.
So I decided to do it through CLI.
Kind Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide