[c-nsp] ASA 5520, unable to find matching cert with digital key usage

Scott Granados gsgranados at comcast.net
Fri Dec 11 18:37:26 EST 2009 

Hi, I only have the items as far as keypair=name.key.  I used the 
configuring ASA with microsoft CA and digital certs example on the Cisco 
site.  Didn't list any of the other options.  I did figure out this error 
though, the problem was with the CA server.  It was injecting my username in 
instead of the fqdn and the data I provided in the request.  Now I'm 
struggling with a group 1 configured for group 2 error but I think I 
understand what that is.

Thanks for the response

Scott



----- Original Message ----- 
From: <andymrozek at yahoo.com>
To: "'Scott Granados'" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Friday, December 11, 2009 3:21 PM
Subject: RE: [c-nsp] ASA 5520,unable to find matching cert with digital key 
usage


> Scott,
>
> Does your trustpoint have the key you generated the CSR with defined as
> follows:
>
> crypto ca trustpoint samplecompany
> enrollment terminal
> fqdn asa.samplecompany.com
> subject-name CN=asa,O=sample.com,C=US,St=California,L=SanFran
> keypair mykeypairname
> ignore-ipsec-keyusag
> ignore-ssl-keyusage
> crl configure
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Friday, December 11, 2009 1:12 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA 5520,unable to find matching cert with digital key
> usage
>
> Hi, I'm getting the following error and I've popped it in to do a search 
> but
>
> I'm not finding much and not understanding what I did find.
>
>    The background: I am using ASA 5520 hardware.  I am trying to create a
> trust point for certificate based authentication.  I create the enrollment
> request with out issue, submit it to our CA server and receive the new 
> cert.
>
> I've generated the keys and everything happens error free until I go to
> import the new cert.  I first authenticate the trust point with the CA 
> cert
> which seems to be error free but when I do a
> #crypto ca import "trust-point-name" certificate
> and paste the cert I receive the "can't find certificate with digital key
> usage" error.  When googling all it says is to set key options but doesn't
> explain what that means or what options.  What am I missing?  Any pointers
> would be greatly appreciated.
>
> Thank you
> Scott
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list