Hi,

i have been trying to enroll my ASA with the PKI CA.

I was wondering if someone can clarify what is the purpose of a trustpoint.

i have been searching and according to this article, it says its a container where certificates are stored and says that a trustpoint can store 2 certs including the CA certificate and ASA's own identity certificate.

https://supportforums.cisco.com/document/52076/certificate-backup-and-installation-trustpoints

i went to Configuration > Device Management > Certificate Management > CA Certificates and received the CA certificate. my understanding is that this step allows the ASA to trust the certificate that is signed by this CA. for the trustpoint name i used my-CA

i then went to Configuration > Device Management > Certificate Management > Identity Certificates and tried to request an identity certificate. for the trustpoint name, i used the same name (my-CA). looking at the error message i got, it seems like me using the same trustpoint name for CA certificate and Identity certificate is causing the issue.

[OK] crypto ca trustpoint my-CA
      crypto ca trustpoint my-CA
[OK] revocation-check none
[OK] keypair Cert-Identity-Keypair
[OK] password xxxx
[OK] id-usage ssl-ipsec
[OK] no fqdn
[OK] subject-name CN=asa-5505,O=home,C=US,St=OH
[ERROR] enrollment url http://NDES/certsrv/mscep/mscep.dll
     Trustpoint enrollment configuration cannot be changed for an authenticated trustpoint.

[ERROR] crypto ca authenticate my-CA nointeractive
     You must use 'no crypto ca trustpoint <trustpoint-name>' to delete the CA certificate first.

[OK] crypto ca enroll my-CA noconfirm

so my question is, what name to use for trustpoint? and do we need a new trustpoint for every identity and CA certificate we install in the asa?

thanks