cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15033
Views
10
Helpful
6
Replies

Cannot remove trust point

shah.maulik
Level 1
Level 1

Good Day all,

I need some help to remove trust point from asa. Recently I created a local trust point and created self sign certificate and enroll it to asa to test any connect.now I m stuck with that certificate as config didn't workout as expected. Can anybody suggest something.

Thanks ,

Maulik

--------------------I have attached the jpg from adsm which I received when I delete identity certificat from ADSM>....

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

You may have used the created trustpoint in one of your VPN profiles.

You will need to remove it from being referenced there first and then you can delete it altogether.

If you don't remember where it is, just pull down your config and search the file for "localtrust" (the trustpoint name you used per your attachment).

Jason Gervia
Cisco Employee
Cisco Employee

I've seen this a few times - if it's not being referenced anywhere you may need to reboot the ASA in order to remove the trustpoint. 

--Jason

Yes, I do see a bug documented with respect to that behavior. Found in 8.4(1) and fixed in 8.4(2) or later.

shah.maulik
Level 1
Level 1

Thanks guys for response.

Marin : I have deleted all related VPN profiles before I tried to remove certificate and trust point.

bwwise
Level 1
Level 1

We had applied a new certificate to our ASA5505 and added it to the SSL settings per digicert's instructions.


When we tried to delete the certificate we received the error below.

 

[Error] no crypto ca trustpoint the trustpoint (trustpointname) noconfirm
The trustpoint appears to be in use. Unable to remove trustpoint.

 

The old certificate was still bound to ikev2. This caused our anyconnect clients to receive a blocked servers error message.

 

Check Anyconnect profile on your computer to verify how it connects to vpn.
c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Uses ikev2
<PrimaryProtocol>IPsec</PrimaryProtocol>

 

Line from old config showing trustopint bound to ikev2
#crypto ikev2 remote-access trustpoint ASDM_TrustPoint4

 

To correct the issue
#no crypto ikev2 remote-access trustpoint ASDM_TrustPoint4 (Old Expired certificate)
#crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 (New trustpoint for new certificate)

 

Now the new certificate is applied to ikev2

sh run | in ASDM_TrustPoint0
crypto ca trustpoint ASDM_TrustPoint0
crypto ca certificate chain ASDM_TrustPoint0
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 outside

Tested the anyconnect clients and now we do not receive an error.

Very useful information!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: