[c-nsp] ASA 5520, unable to find matching cert with digital key usage

Andy Mrozek (amrozek) amrozek at cisco.com
Fri Dec 11 18:24:51 EST 2009


Scott,

Does your trustpoint have the key you generated the CSR with defined as
follows:

crypto ca trustpoint samplecompany
 enrollment terminal
 fqdn asa.samplecompany.com
 subject-name CN=asa,O=sample.com,C=US,St=California,L=SanFran
 keypair mykeypairname
 ignore-ipsec-keyusag
 ignore-ssl-keyusage
 crl configure


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Friday, December 11, 2009 1:12 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA 5520,unable to find matching cert with digital key
usage

Hi, I'm getting the following error and I've popped it in to do a search
but

I'm not finding much and not understanding what I did find.

    The background: I am using ASA 5520 hardware.  I am trying to create
a 
trust point for certificate based authentication.  I create the
enrollment 
request with out issue, submit it to our CA server and receive the new
cert.

I've generated the keys and everything happens error free until I go to 
import the new cert.  I first authenticate the trust point with the CA
cert 
which seems to be error free but when I do a
#crypto ca import "trust-point-name" certificate
and paste the cert I receive the "can't find certificate with digital
key 
usage" error.  When googling all it says is to set key options but
doesn't 
explain what that means or what options.  What am I missing?  Any
pointers 
would be greatly appreciated.

Thank you
Scott

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list