Thank you for the input JP. 

I'm using the IPSec (offline request) cert template which seems to be much the same as the IPSec one.  Am I wrong?  Is there a significant difference between these templates?

The reason I don't use the IPSec template is I can't seem to get it offered as a choice when I browse to my CA and submit an Advanced request.  Only the IPSec (Offline request) is available.  So I looked into that and it seemed to be an acceptable alternative.

From here

https://social.technet.microsoft.com/Forums/office/en-US/87454c69-1f4a-4474-bbbf-a6e7d120d3fd/what-for-are-ipsec-and-ipsec-request-offline-certificates-in-ca-certificate-templates-node?forum=winserversecurity

It says

IPSEC(offline Request) certificate template allows the certificate requester to provide the subject name information in the certificate request.

I didn't think that would cause the certificate to be rejected.

Thanks, Stephen.

Stephen,

Considering that will be kind of hard to identify what is wrong without taking a look to the certificate, if you can share the cert to check it out i can help you, if not i will recommend you to open a TAC case.

Hope this info helps!!

Rate if helps you!! 

-JP-

Thanks again JP.  

I did manage to copy the existing IPSec template and include IP security tunnel termination as a certificate purpose.  That looks promising as a solution.

However, I'm still having trouble getting the certificate template to be offered under the certsrv webpage which I'm trying to resolve.  Every suggestion I find on the internet fails to get the CA to offer the copied template.

Stephen.

Actually I think I've just managed to get the new template published and available in the certsrv webpage by using the Windows Server 2003 Enterprise option when duplicating the IPSec template.  I think I was using the Windows Server 2008 Enterprise option before which was the default.  That seems to have now allowed the template to be available via certsrv.  I've still to issue my ASA with a new cert and test but I'll try that and report back on how it goes.

Stephen.

Success.

I created a copy of the IPSec certificate as a Win2003 certificate

In the Subject name tab choose Supply in request

In the Extensions tab Highlight Application Policies - Edit - Add and select IP Security tunnel termination. 

Now select that new certificate template to issue.

When I go to the certsrv webpage the template is there at last.

I then cenerated a CSR on the ASA and used this template to sign it.  I applied the signed certificate to the crypto map and tunnel group and I could bring the tunnel up without the ignore-ipsec-keyusage line under the CA trustpoint.

So thanks again for the assistance in pointing me in the right direction JP

Stephen.

Hi Stephen,

Thx for sharing the steps to make this work from the Server site, i am glad everything works now.

Hope this info helps!!

Rate if helps you!! 

-JP-