Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RA Certificates


My question is Ra certificates - I have a Microsoft CA with SCEP installed. SCEP is the RA and requests a certificate from the CA on behalf of the client. But when i enroll an ASA via SCEP, when the certificate is pending two certificates appear as 'RA' when i do 'show crypto CA certificates'. When I issue the ID certificate on the CA, these 'RA' certificates disappear on the ASA - what exactly are these certificates and why are they there, and then disappear? This is also the same when enrolling VPN client.

Thanks for your help!


Cisco Employee

Re: RA Certificates


Here is what I did. I had the ASA and SCEP configured for Microsoft CA.

I generated the CSR on the ASA - at that time, this was the output of sh cry ca cert

Subject Name:


Status: Pending terminal enrollment

Key Usage: General Purpose

Fingerprint: ccccccb bbbbbb9 90f5ebb4 ab37e34a

After that, I got the CA certificate through SCEP and installed the identity certificate which I obtained from the microsoft CA server.

Can you please send me the "sh cry ca cert" and also a snippet of your config to check out the crypto trustpoint configured.



New Member

Re: RA Certificates

Hi Gilbert,

Thanks for your response! I have MSWord screen shots of exactly what i did but was live for a customer and contains sensitive info - I will recreate in my lab straight away!

However - here is my events,

Generate RSA general keys

Create trustpoint with SCEP URL and then reference the RSA key label just generated

Crypto CA authenticate

Accept the cert

Show crypto ca certs shows the CA cert

Crypto ca enroll - answer the questions, certificate is pending.

It is now that these 'RA' certs x2 appear under 'show crypto ca certs'.

Issue the certificate on the CA

Show crypto ca cert shows Root and ID cert and the 'RA' certs disappear?

Exactly the same happens on VPN client...

What are these RA certs etc

Thanks for your help Gilbert :-)