Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ASA: CRYPTO_PKI: Unable to read CA/RA certificates


I have setup a Win2003 Server where I install a CA/RA server for SCEP enrollment of my ASA5510. I entered the following config on the ASA:


crypto key generate rsa

crypto ca trustpoint MYTRUSTPOINT

crl optional

enrollment url http://x.x.x.x/certsrv/mscep/mscep.dll

subject-name cn=ASA5510

Meanwhile I configured the CA Server for SCEP support by intalling the mscep executable from the Resource Kit.

If I try to get the CA's Certificate using crypto ca authenticate MYTRUSTPOINT, i only get this error messages on my ASA console:

Crypto CA thread wakes up!

CRYPTO_PKI: Sending CA Certificate Request:

GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=ITSS HTTP


Host: x.x.x.x

CRYPTO_PKI: http connection opened

CRYPTO_PKI: Unable to read CA/RA certificates.Crypto CA thread sleeps!

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0

I have tried to reinstall the CA and SCEP over and over again but I still get the same error all the time. Is there anything wrong with my config?

Please help me with my problem. I promise to give 5-points to anybody who can help me solve my problem. Thank you in advance.



Re: ASA: CRYPTO_PKI: Unable to read CA/RA certificates

You could be hitting with this bug : check the details of this bug :CSCeb54402

New Member

Re: ASA: CRYPTO_PKI: Unable to read CA/RA certificates


I cannot find this particular Bug ID in the CCO. Can you send me some info from your own list if there is any?

thanks so much for your response,


New Member

Re: ASA: CRYPTO_PKI: Unable to read CA/RA certificates


Yes now I see the Bug details. But the one I am actually using is a ASA5510, I have also already upgraded it to 7.2.2 (from previous 7.0.7). I have tried this same setup before using Windows2000 Server and ASA5520, and it works. But this time I am having quite a trouble making this thing work.


Cisco Employee

Re: ASA: CRYPTO_PKI: Unable to read CA/RA certificates

Have you checked the pending requests on the CA server or other logs to see if the CA is even getting the request?


CreatePlease to create content