Re: What’s the impact of configuring the ‘no ca-check’ command?

vrian_colaba · ‎07-22-2019

What’s the impact of configuring the ‘no ca-check’ command?

crypto ca trustpoint IDP

no ca-check

What it means by the ca-check?

Thank you.

vrian

balaji.bandi · ‎07-22-2019

Enable or disable the basic constraints extension and CA flag.

[no ] ca-check

The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension. The presence of these items in a certificate indicates that the certificate’s public key can be used to validate certificate signatures.

The ca-check command is enabled by default, so you need to enter this command only if you want to disable basic constraints and the CA flag.

Example:


ciscoasa/contexta(config-ca-trustpoint)# no ca-check

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Peter Koltl · ‎09-17-2021

Self-signed (non-CA) certificates do not have the basic constraints CA flag but ASA requires that for the trustpoint.
It is necessary to add 'no ca-check' to the trustpoint before adding the self signed certificate. Currently I also would like to know how to work around that in FTD/FMC.
A SAML IdP often has self-signed certificate which must be added as a trusted certificate (trustpoint) in ASA and this is the only way.

Marvin Rhoads · ‎09-19-2021

@Peter Koltl I replied to your similar question in this thread:

https://community.cisco.com/t5/vpn/i-feel-stupid-is-there-a-trick-to-installing-a-certificate-on-an/m-p/4468570#M280346