10-12-2010 01:30 PM - edited 02-21-2020 04:06 AM
I obtained an identity cetificate via a CSR to a CA. It installed sucessfully, but ASDM put it under a new trustpoint, which does not have the CA cert in the trustpoint chain. The CA cert from the issuing CA is on the ASA under a different trustpoint. I do not have any options to specify the trustpoint that I can see. How can I get the CA cert and the identity cert on the same trustpoint? ASA 5510 version 8.0(3), ASDM 6.0 Thanks
Solved! Go to Solution.
10-19-2010 03:44 AM
Hi Mike,
the CA cert you can probably get from the CA, right?
But if not, or if you find it easier, then yes importing the hex representation from the CLI should work although I haven't tested this - you may need to add a PEM header and trailer.
Alternatively you can probably also do the entire operation via the CLI, i.e. copy the certificate chain (containing the CA cert) of the one TP, delete that TP, add the CA cert to the other chain.
hth
Herbert
10-17-2010 04:14 PM
First of all, I don't think this should cause any problem, does it?
Anyway, if you would like to have both certs under the same trustpoint (TP), I think the easiest way is to:
- delete the TP that has the CA cert
- add a new CA cert, and as TP name use the name of the existing TP that has your identity cert
Just tried it with 8.3 / asdm 6.3 and it works fine, so I suppose it should be ok in 8.0/6.0 as well.
hth
Herbert
10-17-2010 06:31 PM
Herbert,
Thanks for your reply. It's not really causing any operational problems - I only noticed it because I can't export the identiy cert via ASDM, because it lacks a CA cert under the same TP. I think your suggestion will work for me. Since I can't export under ASDM, the doc I read implies I can cut and paste using the hex representation of the cert in the CLI. If that's not correct, please indicate, otherwise I think the questionj is answered
Regards,
Mike F
10-19-2010 03:44 AM
Hi Mike,
the CA cert you can probably get from the CA, right?
But if not, or if you find it easier, then yes importing the hex representation from the CLI should work although I haven't tested this - you may need to add a PEM header and trailer.
Alternatively you can probably also do the entire operation via the CLI, i.e. copy the certificate chain (containing the CA cert) of the one TP, delete that TP, add the CA cert to the other chain.
hth
Herbert
10-19-2010 09:01 PM
Herbert,
Thanks, that's what I had hoped.
Regards,
Mike Flanigan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide