Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Local CA certificate enrollment invitation


I have been looking for the answer for a while.....

My ASA is version 8.2.1

I am planning to use ASA loca CA to ditsribute certificate for SSL VPN user.

After I create a user and email OTP, you get the E-mail like below.

(The following example is found at


Date: 12/22/06


From: Wuseradmin

Subject: Certificate Enrollment Invitation

You have been granted access to enroll for a certificate.

The credentials below can be used to obtain your certificate.

One-time Password: C93BBB733CD80C74

Enrollment is allowed until: 15:54:31 UTC Thu Dec 27 2006

NOTE: The one-time password is also used as the passphrase to unlock the certificate file.

Please visit the following site to obtain your certificate:


You may be asked to verify the fingerprint/thumbprint of the CA certificate

during installation of the certificates. The fingerprint/thumbprint should be:

MD5: 76DD1439 AC94FDBC 74A0A89F CB815ACC

SHA1: 58754FFD 9F19F9FD B13B4B02 15B3E4BE B70B5A83


My question is where the hostname (wu5520-FO.frdevtestad.local) of URL is from.

I though it is from hostname of ASA, so I changed hostname of ASA.

However the URL did not change.

Any comment would be greately appricated.



New Member

Re: ASA Local CA certificate enrollment invitation

As far as Cisco document says that the hostname of the URL comes from hotname and domain name configured on ASA.

My ASA used to have the following hosname and domain name.

hostname: aaa

domain name:

Currently my ASA have the following hostname and domain name.

hostname: aaa

domain name:

I expected the URL changes to aaa, but URL stays

Is this something which will change after rebooting ASA?


Cisco Employee

ASA Local CA certificate enrollment invitation

Taro, did you try resetting the CA server process after changing the FQDN of the ASA? That is what is used by the ASA when sending out the email.

ASA Local CA certificate enrollment invitation

Hello Taro,

Agree with Atri,

I have not deal with this cases but it makes sense that you need to reset the CA server as it's basically using a different configuration set for the FQDN.

As soon as you enable the ASA CA capability the URL will be created based on the FQDN, so as it's up and running it will not change... That's how I see it,

Give it a try and let us know,

I think you can only remove the CA config with

clear config crypto ca server’

So be careful,



Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura