07-22-2019 05:39 AM
What’s the impact of configuring the ‘no ca-check’ command?
crypto ca trustpoint IDP
no ca-check
What it means by the ca-check?
Thank you.
vrian
07-22-2019 07:50 PM
Enable or disable the basic constraints extension and CA flag.
[no ] ca-check
The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension. The presence of these items in a certificate indicates that the certificate’s public key can be used to validate certificate signatures.
The ca-check command is enabled by default, so you need to enter this command only if you want to disable basic constraints and the CA flag.
ciscoasa/contexta(config-ca-trustpoint)# no ca-check
09-17-2021 08:39 AM
Self-signed (non-CA) certificates do not have the basic constraints CA flag but ASA requires that for the trustpoint.
It is necessary to add 'no ca-check' to the trustpoint before adding the self signed certificate. Currently I also would like to know how to work around that in FTD/FMC.
A SAML IdP often has self-signed certificate which must be added as a trusted certificate (trustpoint) in ASA and this is the only way.
09-19-2021 04:57 AM
@Peter Koltl I replied to your similar question in this thread:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide