ASA 8.0(4) Manually Install 3rd Party Vendor Certificates Problem

Unanswered Question
Jul 28th, 2010


I am having some problem to install the 3rd Party Vendor Certificate.

I can successfully installed the certificate one year ago, but recently I have to renew the certificate ( entrust) and have to reinstall it.  I used the same steps as before when I first installed the certificate one year ago. (

The steps I have done are as follows:

1) Generate a Public Key e.g. ABCkey

asa(config)# crypto key generate rsa label ABCkey modulus 1024
INFO: The name for the keys will be: ABCkey

Keypair generation process begin. Please wait...

2) Create trust point:

asa(config)# crypto ca trustpoint ABCtrustpoint

asa(config-ca-trustpoint)# subject-name,ou=IT-UC,o=ABC Limited,l=Australia,c=AU
asa(config-ca-trustpoint)# keypair entrust.key
asa(config-ca-trustpoint)# enrollment terminal
asa(config-ca-trustpoint)# exit
asa(config)# crypto ca enroll entrust
% Start certificate enrollment .

After that it has generate a CSR and I have sent it to Entrust to get a certificate

3) Install certificate:

asa(config)# crypto ca import ABCtrustpoint certificate

the error message is:

Cannot import certificate -
   Certificate does not contain device's General Purpose public key
   for trust point entrust
ERROR: Failed to parse or verify imported certificate

4)  I have made sure the public key is there

show crypto key mypubkey rsa

Do I have to uninstall all the old certificate before I can renew my certificate?  if so, how can I uninstall it via command line?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
edadios Wed, 07/28/2010 - 18:32

Try following this document instead

Otherwise, the message you are getting suggest you got a bad cert from the provider.

Try following the steps again, and request for the cert again.

I hope this helps you.


rachelau_2005 Wed, 07/28/2010 - 22:39


How can I do it through the command line interface?


Kind regards,


edadios Thu, 07/29/2010 - 00:07

The document you followed is actually correct, though I though it may have been easier for you, and possible less mistakes if you follow the ASDM.

In any case, the error message you got suggest that the certificate you got from the provider is corrupt or incomplete.

So I suggest re-requesting the certificate from them, and try it again.

I hope that helps you.


This Discussion