I have a question regarding certificate-handling in the ASA (for example for using it for AnyConnect).
I'm not talking of the internal CA here, just about handling certificates coming from an external CA.
If you configure a trustpoint on the ASA - can the trustpoint itself contain i whole hierarchy of certificates? For example, one root-CA-certificate, one intermediate-CA-certificate, and one certificate for the ASA itself, where the ASA holds the private key, too?
For me it would be logical, but I can't do it. I always have to configure a separate trustpoint for each level - in this case two: One for the certificate of the root-CA, the second for the intermediate-CA. The second than also holds the certificate of the ASA itself.
Is this really the "right" way to do it? I get everything to work (validation and stuff) when using the second way, but I'm confused because of the command "crypto ca certificate chain <trustpoint>", which for me indicates that it should indeed be possible to have a complete chain of certificates, a complete hierarchy so to speak, associated to this trustpoint.
The documentation didn't help me out here.
Thanks for clarification.