Problems with installing cert on ASA 5510

Unanswered Question
Jul 21st, 2008
User Badges:

Short version: I can generate a Identity Cert request for my ASA 5510, but when I try to submit to an issuing authority, I get errors and cannot seem to get a working identity cert.

Longer version:

The device in question is an ASA 5510, primarily pulling duty now as a VPN server until we can phase it in as a firewall. The ASA version is 8.0(3) and the ASDM version if 6.1(1).

Well, I did some digging around here and found this link:

and followed the steps exactly through step 2. I took the resulting certificate request file and sent it to our web master who tried both at Verisign and at GoDaddy to generate an identity cert, but every time the CA tells us that there is an error with the organization name.

Can anyone here help walk me through the steps to get a cert on this ASA? Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ggilbert Tue, 07/22/2008 - 08:22
User Badges:
  • Cisco Employee,

Hello Chad,

Can you please try to follow the link given below and let me know if this works out.

If you still get the error, can you please give me the output of the following.

a. What is the hostname on the ASA

b. output of "sh domain-name"

c. sh cry ca trustpoint.



chad-young Wed, 07/23/2008 - 09:55
User Badges:

Ok, read the link and tried it. Got to step #2, but cannot complete step 3 because the issuing authority does not like the request. I suspect this line from the article tells the tale:

"Note: Some 3rd party vendors require particular attributes to be included before an identity certificate is issued. If you are unsure of the required attributes, check with your vendor for details."

Would it be easier to get the cert from Cisco or some other provider? We use GoDaddy and Verisign, but I can use just about anyone, as long as it works!

Ok, to answer your questions.


b. charon# sh domain-name


ERROR: % Invalid input detected at '^' marker. (^ is pointing to domain-name)

c. charon# sh cry ca trustpoint

Trustpoint ASDM_TrustPoint0:

Not authenticated.

Hope this helps!

Thanks for your assistance on this matter. I am relatively new to the Cisco world and have much yet to learn.

chad-young Wed, 07/23/2008 - 10:01
User Badges:

Oops, did a sh run and found:


Is this perhaps the problem?

ggilbert Wed, 07/23/2008 - 11:18
User Badges:
  • Cisco Employee,

So, what is the name that the users will be accessing the ASA.


In this case, the ASA hostname would be ciscovpn. If it would be different then you would need to put in the right subject-name on the trustpoint.

Can please you send me the output for

---> sh run crypto ca trustpoint

Question: Are you installing the Root Certificate before installing the Identity certificate on the ASA?

chad-young Thu, 07/24/2008 - 10:26
User Badges:

"Question: Are you installing the Root Certificate before installing the Identity certificate on the ASA?"

In a previous attempt at getting a cert from Verisign, I had installed their Root Certificate, but, at this time, I do not have a root certificate installed. I just downloaded the 'Valicert Root Certificate' from GoDaddy. I assume I need to install this, correct?

Do I need to change domain-name to the domain the end-user sees (

Thanks again for your continued help!

ggilbert Thu, 07/24/2008 - 10:42
User Badges:
  • Cisco Employee,

Yes, you need to have the right domain-name the users will be accessing it as and like I said in my previous example - you need to have the right hostname as well.

Once you get the Identity certificate from the vendor, you can double-click on that certificate and under the certification path, you should see the Root CA which issued your Identity certificate.

You need to install that root certificate.

Let me know if this helps.



chad-young Fri, 07/25/2008 - 06:18
User Badges:

Gilbert, thanks again for your continued assistance. I tried what you have suggested and have realized that the problem is a design issue. Our inside domain name and outside domain names are different. If I set the domain name in the ASA to match the outside name, people cannot browse the internal network by name. If I set the domain name to our inside domain name, then the cert request fails.

I guess my next step is to address our naming/design issue and revisit this later.


ggilbert Fri, 07/25/2008 - 06:58
User Badges:
  • Cisco Employee,


Thanks a lot for letting me know.

Rate this post, if it helped you.




This Discussion