Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
0
Helpful
1
Replies

Cert error

k.ramalingam
Level 1
Level 1

‎11-27-2012 01:10 AM

Hi There,

We have a Cisco ASA:

QCU-HQ-FW1# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(4)1
Device Manager Version 6.4(1)

Compiled on Fri 17-Dec-10 17:02 by builders
System image file is "disk0:/asa824-1-k8.bin"
Config file at boot was "startup-config"

                 

The issue here is the SSL VPN user have issue not getting link to download new certificate when there is an error with Certificate Validation failed, Upon checking we found:

QCU-HQ-FW1(config-ca-server)# sh cry ca ser

Certificate Server LOCAL-CA-SERVER:
    Status: disabled, Trustpoint name already in use
    State: check failed
    Server's configuration is locked  (enter "shutdown" to unlock it)
    Issuer name: cn=QCU-HQ-FW1
    CA certificate fingerprint/thumbprint: (MD5)
        d915b7ae fd5c3fff 1a40e152 a19668a5
    CA certificate fingerprint/thumbprint: (SHA1)
        7970e2d1 4f460d1c f7d0aa7e 7a35e13c e50d0551
    Last certificate issued serial number: 0x0
    CA certificate expiration timer: 10:00:00 EST Jan 1 1970
    CRL NextUpdate timer: 23:15:31 EST Nov 27 2012
    Current primary storage dir: flash:/LOCAL-CA-SERVER/

    Auto-Rollover configured, overlap period 30 days

    WARNING: Configuration has been modified and needs to be saved!!

Would appreciate if anyone can give an idea how to resolve this issue. Thanks

Labels:
0 Helpful
1 Reply 1

Javier Portuguez
Level 9
Level 9

‎11-27-2012 05:31 AM

Hi,

The CA server is disabled.

Has this worked before?

It says that the Trustpoint name is already in use.

Did you create a Trustpoint named LOCAL-CA-SERVER?

This Trustpoint is automatically created by the Local CA server feature.

Please do the following (assuming this is not a production FW and no other certificates are installed):

1- "show run crypto ca server" and copy the CA server settings.

2- "no crypto ca trustpoint LOCAL-CA-SERVER noconfirm"

3- Add the LOCAL-CA-SERVER settings again as following:

     crypto ca server

          # specific settings like the issuer-name attribute goes here.

          no shut down


4- "show crypto ca server"

Share your results.

Portu.

Please rate any helpful posts

0 Helpful
Customers Also Viewed These Support Documents