[c-nsp] ASA 5520, unable to find matching cert with digital key usage
Andy Mrozek (amrozek)
amrozek at cisco.com
Fri Dec 11 18:24:51 EST 2009
Scott,
Does your trustpoint have the key you generated the CSR with defined as
follows:
crypto ca trustpoint samplecompany
enrollment terminal
fqdn asa.samplecompany.com
subject-name CN=asa,O=sample.com,C=US,St=California,L=SanFran
keypair mykeypairname
ignore-ipsec-keyusag
ignore-ssl-keyusage
crl configure
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Friday, December 11, 2009 1:12 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA 5520,unable to find matching cert with digital key
usage
Hi, I'm getting the following error and I've popped it in to do a search
but
I'm not finding much and not understanding what I did find.
The background: I am using ASA 5520 hardware. I am trying to create
a
trust point for certificate based authentication. I create the
enrollment
request with out issue, submit it to our CA server and receive the new
cert.
I've generated the keys and everything happens error free until I go to
import the new cert. I first authenticate the trust point with the CA
cert
which seems to be error free but when I do a
#crypto ca import "trust-point-name" certificate
and paste the cert I receive the "can't find certificate with digital
key
usage" error. When googling all it says is to set key options but
doesn't
explain what that means or what options. What am I missing? Any
pointers
would be greatly appreciated.
Thank you
Scott
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list