Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5892
Views
0
Helpful
7
Replies

SSL Trustpoint not authenticated

Cisco Freak
Level 4
Level 4

‎05-30-2016 08:58 AM

Hi All,

I was checking the configuration of SSL in an ASA and I found that trustpoint is not authenticated. However, when I access the ASA using https, I get the correct SSL certificate assigned to this point. 

VPN# sh crypto ca trustpoints

Trustpoint SSL:
Not authenticated.


Trustpoint ASDM_Launcher_Access_TrustPoint_0:
Configured for self-signed certificate generation.

Can you please tell me why this shows as not authenticated. I imported the SSL certificate to this ASA from another ASA.

CF

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-30-2016 09:12 AM

Hi,

Could you share the output of show run all ssl ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Cisco Freak
Level 4
Level 4
In response to Aditya Ganjoo

‎05-30-2016 10:04 AM

VPN# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point SSL inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl certificate-authentication fca-timeout 2
VPN#

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Cisco Freak

‎05-30-2016 10:09 AM

Hi,

I do not see the SSL trustpoint enabled on the outside interface.

It has been enabled on the inside interface.

From where do you access the VPN ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Cisco Freak
Level 4
Level 4
In response to Aditya Ganjoo

‎05-30-2016 11:50 AM

Oh sorry.. This is an ASA which is still not pushed to production. I was accessing it from internal LAN.. :) 

I have an SSL trustpoint mapped to inside interface and it gives the correct SSL cert too.

But that SSL trustpoint is shown as 'not authenticated' ..that's what my confusion is.

CF

0 Helpful

Paul Chapman
Level 4
Level 4
In response to Cisco Freak

‎05-30-2016 02:49 PM

Hi -

The "SSL" TP is probably missing both the root chain and the private key.

"show run crypto ca trustpoint" will likely reflect this.

PSC

0 Helpful

Cisco Freak
Level 4
Level 4
In response to Paul Chapman

‎05-30-2016 04:29 PM

I don't think so because, I can see the certificate chain and a valid certificate, when I access the ASA from inside.

0 Helpful

Paul Chapman
Level 4
Level 4
In response to Cisco Freak

‎05-31-2016 09:53 AM

Hi CF -

Can't tell if you don't post the requested output.

PSC

0 Helpful
Customers Also Viewed These Support Documents