Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4427
Views
0
Helpful
3
Replies

Trustpoint issue

Go to solution
algorithm334411221
Beginner
Beginner

‎10-04-2015 12:28 PM

Hi,

i have been trying to enroll my ASA with the PKI CA.

I was wondering if someone can clarify what is the purpose of a trustpoint.

i have been searching and according to this article, it says its a container where certificates are stored and says that a trustpoint can store 2 certs including the CA certificate and ASA's own identity certificate.

https://supportforums.cisco.com/document/52076/certificate-backup-and-installation-trustpoints

i went to Configuration > Device Management > Certificate Management > CA Certificates and received the CA certificate. my understanding is that this step allows the ASA to trust the certificate that is signed by this CA. for the trustpoint name i used my-CA

 

i then went to Configuration > Device Management > Certificate Management > Identity Certificates and tried to request an identity certificate. for the trustpoint name, i used the same name (my-CA). looking at the error message i got, it seems like me using the same trustpoint name for CA certificate and Identity certificate is causing the issue.

[OK] crypto ca trustpoint my-CA
      crypto ca trustpoint my-CA
[OK] revocation-check none
[OK] keypair Cert-Identity-Keypair
[OK] password xxxx
[OK] id-usage ssl-ipsec
[OK] no fqdn
[OK] subject-name CN=asa-5505,O=home,C=US,St=OH
[ERROR] enrollment url http://NDES/certsrv/mscep/mscep.dll
     Trustpoint enrollment configuration cannot be changed for an authenticated trustpoint.

[ERROR] crypto ca authenticate my-CA nointeractive
     You must use 'no crypto ca trustpoint <trustpoint-name>' to delete the CA certificate first.

[OK] crypto ca enroll my-CA noconfirm

 

so my question is, what name to use for trustpoint? and do we need a new trustpoint for every identity and CA certificate we install in the asa?

 

thanks

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎10-05-2015 03:36 AM

you need to generate a CSR and send it to the CA; the will provide you with the ID cert and the root CA cert; install the ID cert first and then the root CA cert

View solution in original post

0 Helpful
3 Replies 3

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎10-05-2015 03:36 AM

you need to generate a CSR and send it to the CA; the will provide you with the ID cert and the root CA cert; install the ID cert first and then the root CA cert

0 Helpful

Go to solution
algorithm334411221
Beginner
Beginner
In response to pjain2

‎10-05-2015 09:23 AM

thank you. i tried as you suggested and it works. basically had to create a CSR and since i am using internal PKI, it was auto approved and asa also automatically added the CA certificate automatically.

0 Helpful

Go to solution
CSCO11914973
Beginner
Beginner
In response to pjain2

‎11-30-2022 04:44 PM

Hi!!
What about if I don´t have authority certificate entity? It´s possible a self signed solution?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents