cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13740
Views
5
Helpful
8
Replies

No SSL trust-points configured

james.king14
Level 1
Level 1

Working on VPN and we are getting errors stating no TP found.  Did a sh ssl/ sh run ssl and got weird information back but need help with understanding TP's 

2 Accepted Solutions

Accepted Solutions

pjain2
Cisco Employee
Cisco Employee

these logs are expected as you do not have the root cert to verify the certs that the client is sending:

CRYPTO_PKI: Verifying certificate with serial number: 039F, subject name: cn=DOD EMAIL CA-31,ou=PKI,ou=DoD,o=U.S. Government,c=US, issuer_name: cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US" serial number=03 9f                                              |  ..

CRYPTO_PKI: No suitable TP status.

for Eg. Make sure you have the root cert issued for: "cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US"

once you have configured the trauspoint, you need to bind it to the interface as well:
ssl trustpoint <name> <interface name>

also there are ldap errors:
[58] Simple authentication for admin12 returned code (49) Invalid credentials [58] Failed to bind as administrator returned code (-1) Can't contact LDAP server

this means that the ASA is not able to bind to the LDAP server using the admin account; can you check the login password for the ldap server in the ASA's config.

View solution in original post

rvarelac
Level 7
Level 7

Hi James, 

Basically  a Trust-point is where the certificate is stored on the ASA.

The logs you are having 

No SSL trust-points configured

Is because you don't have any trustpoint active for the SSL  configuration. In order to enable the certificate for SSL you need to add the following command:

SSL trustpoint < TP_name>  <interface_name>

Eg:

SSL trustpoint My_TP outside 

Hope it helps

-Randy-

View solution in original post

8 Replies 8

pjain2
Cisco Employee
Cisco Employee

these logs are expected as you do not have the root cert to verify the certs that the client is sending:

CRYPTO_PKI: Verifying certificate with serial number: 039F, subject name: cn=DOD EMAIL CA-31,ou=PKI,ou=DoD,o=U.S. Government,c=US, issuer_name: cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US" serial number=03 9f                                              |  ..

CRYPTO_PKI: No suitable TP status.

for Eg. Make sure you have the root cert issued for: "cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US"

once you have configured the trauspoint, you need to bind it to the interface as well:
ssl trustpoint <name> <interface name>

also there are ldap errors:
[58] Simple authentication for admin12 returned code (49) Invalid credentials [58] Failed to bind as administrator returned code (-1) Can't contact LDAP server

this means that the ASA is not able to bind to the LDAP server using the admin account; can you check the login password for the ldap server in the ASA's config.

Thank you guys for the quick response on this issue. 

I did change the password for the LDAP user and thank.

I tried the command and got a new error, "(config)# ssl trust-p ASDM_TrustPoint1 outside
ERROR: Trustpoint not enrolled.  Please enroll trustpoint and try again."  I am not sure what to check next, we are trying to get a CA from DoD or Verisign.

Looking at other discussion on the support page.  This happens when you create your CA on a Domain Controller and the “Domain Controllers”  security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.  Yes, I did create the CA  with a DC.  Which is my TP1.  Does this way of creating CA cause a lot of issues

Hi James, 

The certificate applied to the SSL  trust point needs to be an identity certificate, not a CA certificate .

-Randy-

thank you Randy,

That was very helpful!  I finally got it to work..WHEW! 

I have but one more question, I and getting separate error that comes up on certain users. 

CRYPTO_PKI: No Tunnel Group Match for peer certificate.

rvarelac
Level 7
Level 7

Hi James, 

Basically  a Trust-point is where the certificate is stored on the ASA.

The logs you are having 

No SSL trust-points configured

Is because you don't have any trustpoint active for the SSL  configuration. In order to enable the certificate for SSL you need to add the following command:

SSL trustpoint < TP_name>  <interface_name>

Eg:

SSL trustpoint My_TP outside 

Hope it helps

-Randy-

hi randy,
Im using asa5516. when sh run, I can't find any line with "no ssl trust-point <TP_name> <int_name>"
Is there anything wrong?
when i sh crypto ca certif Ive got every information

could you help?

Hi @rvarelac, few weeks ago, I had an issue on several ASA firewalls. The monitoring system was sending alarms regarding SSL sensor Certificate   "Warning due to lookup value 'No' in channel 'Trusted root certification authority' - Warning due to lookup value 'Unable to check revocation status' in channel 'Revoked' (OK. Certificate Common Name:
CN=ASA Temporary Self Signed Certificate - Certificate Thumbprint:
0CEF476C7716448BAAA913123967E828203FFE86)"

On CSM, I noticed the trustpoint interface was missing and I added it. The warning then disappears only on several ASA.They all have the trustpoint interface enable.

Any clue?

 

MJ666
Level 1
Level 1

hi randy,
Im using asa5516. when sh run, I can't find any line with "no ssl trust-point <TP_name> <int_name>"
Is there anything wrong?
when i sh crypto ca certif Ive got every information

could you help?