Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Failed to use own CA and sub-CA

Hello everybody,

I am having an issue with using my own CA.

I have the certificates from the CA and sub-CA at hand in all kinds of formats (.der, .pem, .p12)

  • I've created the trustpoint (MAINCA) in ASA via CLI and provided details (subject-name, fqdn, enrollment terminal, NO SERIAL)
  • I've generated the CSR on the ASA from CLI with no problems (enroll the trustpoint).
  • I've saved the CLI output of the CSR to a file
  • I let the sub-CA process the CSR - and the CA has processed it as well just to give it a try
  • I've the Certificate ready formated as .der and .pem

As mentioned in Cisco Documentation I now have to authenticate the trustpoint with

crypto ca authenticate MAINCA

where the trustpoint-name is the same as the one from creating a trustpoint just a little earlier.

  • I can paste the characters from the .pem-file of either, the CA or the sub-CA with no problem at all
  • I finish as asked with quit
  • I get the info that certificate has a fingerprint - ok - and if I would like to accept the certificate - yes is what I entered.

The process is, however, aborted with:

% Error in saving certificate: status = FAIL

I started a debug as well - but I don't get it

CRYPTO_PKI: can not set ca cert object (0x701)

CRYPTO_PKI: status = 65535: failed to process RA certificate

CRYPTO_PKI: Cleaned PKI cache successfully

CRYPTO_PKI: Starting to build the PKI cache

CRYPTO_PKI: Failed to retrieve router cert

CRYPTO_PKI: Failed to cache certificate chain for the trustpoint MAINCA or none available

CRYPTO_PKI: Failed to retrieve trusted issuers list or no trustpoint configured

Can somebody clear the sky, please?

Everyone's tags (3)

Failed to use own CA and sub-CA

AFAIK the ASA does not handle CA hierarchy. You can use the sub-CA in your trustpoint. You may create another trustpoint for the root CA but it's not necessary.

Community Member

I'm having the same issue.

I'm having the same issue. 

Did you find a way to load your Certs?

Were they using SHA256 by any chance?



CreatePlease to create content