Authenticating CA on a Cisco Router 880

Unanswered Question
Oct 17th, 2008
User Badges:

Hi! I'm trying to auth my CA from my 880 cisco router, but get this message:

"% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

%PKI-3-UNUSABLE_KEY_USAGE: Key-usage type 'Certificate-Signing' for cert with serial number 65 is not usable."

I understand that the router maybe wants the KeyEncipherment, but how can this be? CertificateSigning is what a CA is for, isn't it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Thu, 10/23/2008 - 08:50
User Badges:

The error message says that the given key-usage type is not usable by IOS. If seen during an import operation, this will likely cause the import to fail. Acceptable key-usage types should include Key-encipherment and/or digital-signature. Other key-usage types may be present, but will be ignored.

Recommended Action: Recreate the certificate with key-encipherment, digital-signature, or both.

The below URL helps you to configure certificates on IPsec devices:

To install and authenticate the CA certificates associated with a trustpoint, use the crypto ca authenticate command in global configuration mode.

Refer the below URL for more information:


This Discussion