cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2068
Views
0
Helpful
4
Replies
Douglas Holmes
Beginner

Delete Certificate that does not have an Associates Trustpoint

I have been having some trouble getting a site to site tunnel working using IKEV2 certificates.  I have one working tunnel and another that is not.  Get the "self signed not acceptable".  Only that isn't really the case.  Certs on both devices signed by the same CA and generated in the exact same fashion.  However, one ASA I see an errant certificate that I can figure out how to delete.  I am thinking that this certificate is causing the issue.  See below.  Thanks

 

IMG_0198.jpg

4 REPLIES 4
Karsten Iwen
VIP Mentor

you see that certificate with "sh run crypto ca"? If yes try deleting it with "no crypto ca cert chain ...".

Thanks for the response.  I did try that,  however it still wants a trustpoint.  This is what I get:

 

FW(config)# no crypto ca certificate chain
ERROR: % Incomplete command
FW(config)#

FW(config)# no crypto ca certificate chain ?
configure mode commands/options:
  WORD < 65 char  Trustpoint Name

 

I slept on it last night.  The certificate shows up, I can't blow away the config since it is in production.  I have to get the remote office up this morning so loose all trust that I am the one that knows. 

 

I know that the remote end is the one that is having issues with the certificate.  The local side loves the certificate that it receives and actually brings the tunnel up.  The other side not so much. I am going to run a debug crypto ca on the other side to see if I can match the serials as to what is happening with the certificate.  Otherwise the behavior I see is not what I expect. 

 

Second step is that I am going to zero the device.  Delete the existing trustpoint, and keys.  Then rekey.  Shouldn't take too long. 

Rekeyed the ASA.  Did this by removing references then deleting the trustpoint and then clearing the key.  Then I reversed the process.  Same problem with the tunnel but the extra certificate is now gone.

Updated the code on the remote side from 9.8.20 to 9.8.3.  Now the certs are passing authentication on both sides.  Could be a code issue.  Still failing, but I do have the resolution for why the post was created.  Will examine the configurations.  Especially since I have two tunnels configured to two different ASA's.  One works and one does not. 

Content for Community-Ad