This issue is due to the presence of Cisco bug ID CSCsf17411.
In this issue, certification authority (CA) certificate storage fails on the router. The execution of the crypto pki authenticate trustpoint-name command generates this output:
% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.% Error in saving certificate: status = FAIL
This issue typically occurs in scenarios where the CA certificates do not contain a digital signature or data encryption key usage.
Cisco IOS software releases that are affected by this bug are listed in this affected versions list.
In order to workaround this issue, add key usage flags to the CA certificate.
In order to completely resolve this issue, upgrade or downgrade to any of the these Cisco IOS software releases:
Refer to Cisco Downloads in order to download the suggested Cisco IOS software releases.
%Error in saving certificate: status = FAIL
Certificates - Public Key Infrastructure (PKI)
I've tried to downgrade from 12.4.24T2 to 12.4.15T12 finding the same errors.I can't download 12.4.11T because it's deferred and I don't know how to implement the workaround , i.e., adding "digital signature" or "data encryption"key usage flags to the Callmanager certs I need to import on the gateway for Secure SRST to work.Please let me know how to add these key usage flags or which IOS fixes this bug.I'm having big trouble with SRST since Callmanager is in Security Mixed Mode and normal SRST doesn't work, but Secure SRST can't be configured until I import the certificates, but I can't!!!