Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to save a certificate on the router and the "% Error in saving certificate: status = FAIL" error message appears

Core issue

This issue is due to the presence of Cisco bug ID CSCsf17411.

In this issue, certification authority (CA) certificate storage fails on the router. The execution of the crypto pki authenticate trustpoint-name command generates this output:

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Error in saving certificate: status = FAIL

This issue typically occurs in scenarios where the CA certificates do not contain a digital signature or data encryption key usage.

Cisco IOS  software releases that are affected by this bug are listed in this affected versions list.

Resolution

In order to workaround this issue, add key usage flags to the CA certificate.

In order to completely resolve this issue, upgrade or downgrade to any of the these Cisco IOS software releases:

  • Cisco IOS Software Release 12.4(8b)

  • Cisco IOS Software Release 12.4(11.1)

  • Cisco IOS Software Release 12.4(10a)

  • Cisco IOS Software Release 12.4(11.1)T

Refer to Cisco Downloads in order to download the suggested Cisco IOS software releases.

Frequency

Continuously

Error

%Error in saving certificate: status = FAIL

Cisco IOS Software Version

12.4

Features & Tasks

Digital certificates

VPN Protocols

Certificates - Public Key Infrastructure (PKI)

Version history
Revision #:
1 of 1
Last update:
‎06-17-2009 10:15 PM
Updated by:
 
Labels (1)
Comments
New Member

I've tried to downgrade from 12.4.24T2 to 12.4.15T12 finding the same errors.
I can't download 12.4.11T because it's deferred and
I don't know how to implement the workaround , i.e., adding "digital signature" or "data encryption"
key usage flags to the Callmanager certs I need to import on the gateway for Secure SRST to work.

Please let me know how to add these key usage flags or which IOS fixes this bug.

I'm having big trouble with SRST since Callmanager is in Security Mixed Mode and normal
SRST doesn't work, but Secure SRST can't be configured until I import the certificates, but I can't!!!