Error message for Ca help

Unanswered Question
Oct 27th, 2007

Hi,

Can anyone advise me on what is the cause of the problem (Manually install 3rd party Vendor for use with WebVPN configuration version 8.0) ?

i have follow the configuration example and found this error message via CLi

Appreciated any kind reply.

FO: Certificate has the following attributes:

Fingerprint: 713cdfee 53530e1e 06fa7a41 b78a7779

Do you accept this certificate? [yes/no]: y

Trustpoint 'xx.Entrust.TrustPoint' is a subordinate CA and holds a non self-signed certificate.

Trustpoint 'xx.Entrust.TrustPoint' is a subordinate CA.

but certificate is not a CA certificate.

Manual verification required

Trustpoint CA certificate accepted.

% Certificate successfully imported

PHS-ASA(config)# CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 469C84D9, subject name: cn=xxxx.xxxx.com.xx,ou=IT,o=xxxxxxxx,l=xxx,c=xx.

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Current Certificate list contents:

Certificate 1:

SERIAL: 469c84d9

ISSUER: cn=Entrust.net Secure Server Certification Authority,ou=(c) 1999 Entrust.net Limited,ou=www.entrust.net/CPS incorp. by ref. (limits liab.),o=Entrust.net,c=US

CRYPTO_PKI: crypto_process_ra_certs(trust_point=PW.Entrust.TrustPoint)INFO: Certificate has the following attributes:

^

PHS-ASA(config)# ISSUER: cn=Entrust.net Secure Server Certification Authorit$

ISSUER: cn=Entrust.net Secure Server Certification Authority,ou=(c) 1999 Entrust.net Limited,ou=www.entrust.net/CPS incorp. by ref. (limits liab.),o=Entrust.n

et,c=US

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Thu, 11/01/2007 - 15:35

If you get a certificate from a trusted 3rd party (i.e. Verisign/Thawte/etc.) to install on the appliance then you shouldn't get the certificate warning pop-ups for anything that's encrypted by the SSL VPN appliance. For some certificates manual install maybe the only way. You need to check with the issuer of certificate for a such problem.

Actions

This Discussion