i have been trying to enroll my ASA with the PKI CA.
I was wondering if someone can clarify what is the purpose of a trustpoint.
i have been searching and according to this article, it says its a container where certificates are stored and says that a trustpoint can store 2 certs including the CA certificate and ASA's own identity certificate.
i went to Configuration > Device Management > Certificate Management > CA Certificates and received the CA certificate. my understanding is that this step allows the ASA to trust the certificate that is signed by this CA. for the trustpoint name i used my-CA
i then went to Configuration > Device Management > Certificate Management > Identity Certificates and tried to request an identity certificate. for the trustpoint name, i used the same name (my-CA). looking at the error message i got, it seems like me using the same trustpoint name for CA certificate and Identity certificate is causing the issue.
[OK] crypto ca trustpoint my-CA
crypto ca trustpoint my-CA
[OK] revocation-check none
[OK] keypair Cert-Identity-Keypair
[OK] password xxxx
[OK] id-usage ssl-ipsec
[OK] no fqdn
[OK] subject-name CN=asa-5505,O=home,C=US,St=OH
[ERROR] enrollment url http://NDES/certsrv/mscep/mscep.dll
Trustpoint enrollment configuration cannot be changed for an authenticated trustpoint.
[ERROR] crypto ca authenticate my-CA nointeractive
You must use 'no crypto ca trustpoint <trustpoint-name>' to delete the CA certificate first.
[OK] crypto ca enroll my-CA noconfirm
so my question is, what name to use for trustpoint? and do we need a new trustpoint for every identity and CA certificate we install in the asa?