08-10-2022 03:43 AM
I have defined Trustpoints on my ASA
my understanding is these entities will be used as CA with no requirement for CSR to pass to a third party
Compiled on Fri 27-May-22 15:35 GMT by builders
System image file is "boot:/asa9181-smp-k8.bin"
Config file at boot was "startup-config"
one Trustpoint is configured with enrollment self -> this is showing enrollment validated
a second Trustpoint is configured with enrollment terminal
when I try to authenticate with the certificate I got with enrollment I see the message below
INFO: Certificate has the following attributes:
Fingerprint: e73648c3 3e772175 606ace3d 0e1ca901
Do you accept this certificate? [yes/no]: yes
WARNING: CA certificates can be used to validate VPN connections,
by default. Please adjust the validation-usage of this
trustpoint to limit the validation scope, if necessary.
% Error in saving certificate: status = FAIL
sslvpn(config)#
Q any suggestions on how to resolve this and progress the authentication of the Trustpoint ?
Solved! Go to Solution.
09-14-2022 01:32 AM
hello
to resolve this issue I had to get a base 64 cert from an external CA source & then use crytpo authenticate ca trustpoint-name
08-11-2022 10:00 AM
Just to be clear for my understanding. you already have generate the CSR for your Identity Cert for your ASA. now you want to upload the CA and Sub-CA in order for it to not check with third parties. Is that correct?
I assume you have the CSR already if not.
crypto key generate rsa label ASAFIREWALL modulus 2048
crypto ca trustpoint Cert-Identity
enrollment terminal
fqdn vpn.asa.com
revocation-check non
id-usage ssl-ipsec
subject-name CN=abc.wxyz
keypair ASAFIREWALL
exit
!
crypto ca enroll Cert-Identity
This will generate the CSR for you on the ASA and display the CSR on asa cli terminal.
once you have the certificate (identity certificate) singed by Public or Private CA. Import separately in PEM formats.
crypto ca authenticate Cert-Identity
here past the identity certificate pem format on cli.
here if you have CA and Sub-CA create a trustpoint
crypto ca trustpoint CA
enrollment terminal
exit
!
crypto ca authenticate CA
paste the CA pem here. if you have more than one CA follow the same process and call each trustpoint as SUB-CA
Here Check the document it will find very helpful for you.
08-18-2022 04:04 AM
thank you for your reply -- yes I have been generating a CSR by defining Trustpoint , enrolling & then authenticating against the Trustpoint --
the Trustpoint will be used as part of the SAML authentication
crypto ca trustpoint AzureAD-AC-SAML
enrollment terminal
no ca-check
crl configure
08-18-2022 04:14 AM
please see below I tried another Trustpoint that gave the same error
my Trustpoint default to the id useage ssl-vpn
the only Trustpoint that will authenticate is one with enrollment self
HNwh8AaMRg9yqjqq6sjy9nMARu/Dwi+FNEt07zqQhgfdILjYJt55x/Uc26/OzhC
VLYo7eY=
quit
INFO: Certificate has the following attributes:
Fingerprint: 5d2c4e37 8a6d5856 f2d191d3 88db3bd8
Do you accept this certificate? [yes/no]: ye
WARNING: CA certificates can be used to validate VPN connections,
by default. Please adjust the validation-usage of this
trustpoint to limit the validation scope, if necessary.
% Error in saving certificate: status = FAIL
NEU-ARK-ASAPVN01(config)#
crypto ca trustpoint CLI_TrustPoint1
enrollment terminal
subject-name CN=DRsslvpn.x.xx,OU=IT,O=xxx GROUP PLC,C=GB,St=Shxxx,L=Txxx
keypair anyconnect
crl configure
09-14-2022 01:32 AM
hello
to resolve this issue I had to get a base 64 cert from an external CA source & then use crytpo authenticate ca trustpoint-name
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide