Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6907
Views
0
Helpful
4
Replies

Trustpoint when installing identity certificate via ASDM

Go to solution
mflanigan
Level 1
Level 1

‎10-12-2010 01:30 PM - edited ‎02-21-2020 04:06 AM

I obtained an identity cetificate via a CSR to a CA.  It installed sucessfully, but ASDM put it under a new trustpoint, which does not have the CA cert in the trustpoint chain.  The CA cert  from the issuing CA is on the ASA under a different trustpoint.  I do not have any options to specify the trustpoint that I can see.  How can I get the CA cert and the identity cert on the same trustpoint?  ASA 5510 version 8.0(3), ASDM 6.0  Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to mflanigan

‎10-19-2010 03:44 AM

Hi Mike,

the CA cert you can probably get from the CA, right?

But if not, or if you find it easier, then yes importing the hex representation from the CLI should work although I haven't tested this - you may need to add a PEM header and trailer.

Alternatively you can probably also do the entire operation via the CLI, i.e. copy the certificate chain (containing the CA cert) of the one TP, delete that TP, add the CA cert to the other chain.

hth
Herbert

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎10-17-2010 04:14 PM

First of all, I don't think this should cause any problem, does it?

Anyway, if you would like to have both certs under the same trustpoint (TP), I think the easiest way is to:

- delete the TP that has the CA cert

- add a new CA cert, and as TP name use the name of the existing TP that has your identity cert

Just tried it with 8.3 / asdm 6.3 and it works fine, so I suppose it should be ok in 8.0/6.0 as well.


hth

Herbert

0 Helpful

Go to solution
mflanigan
Level 1
Level 1
In response to Herbert Baerten

‎10-17-2010 06:31 PM

Herbert,

Thanks for your reply.  It's not really causing any operational problems - I only noticed it because I can't export the identiy cert via ASDM, because it lacks a CA cert under the same TP.  I think your suggestion will work for me.  Since I can't export under ASDM, the doc I read implies I can cut and paste using the hex representation of the cert in the CLI.  If that's not correct, please indicate, otherwise I think the questionj is answered

Regards,

Mike F

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to mflanigan

‎10-19-2010 03:44 AM

Hi Mike,

the CA cert you can probably get from the CA, right?

But if not, or if you find it easier, then yes importing the hex representation from the CLI should work although I haven't tested this - you may need to add a PEM header and trailer.

Alternatively you can probably also do the entire operation via the CLI, i.e. copy the certificate chain (containing the CA cert) of the one TP, delete that TP, add the CA cert to the other chain.

hth
Herbert

0 Helpful

Go to solution
mflanigan
Level 1
Level 1
In response to Herbert Baerten

‎10-19-2010 09:01 PM

Herbert,

Thanks, that's what I had hoped.

Regards,

Mike Flanigan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card