To install and authenticate the CA certificates associated with a trustpoint, use the crypto ca authenticate
command in global configuration mode.
crypto ca authenticate
trustpoint
[
allow-untrusted-connection
]
[
fingerprint
hexvalue
]
[
nointeractive
]
Syntax Description
fingerprint
|
Specifies a hash value consisting of alphanumeric characters that the ASA uses to authenticate the CA certificate. If a fingerprint
is provided, the ASA compares it to the computed fingerprint of the CA certificate and accepts the certificate only if the
two values match. If there is no fingerprint, the ASA displays the computed fingerprint and asks whether to accept the certificate.
|
hexvalue
|
Identifies the hexadecimal value of the fingerprint.
|
allow-untrusted-connection
|
Allows the ASA to ignore EST server certificate validation failure. This option is available only for trustpoints that are
configured with the EST enrollment protocol.
|
nointeractive
|
Obtains the CA certificate for this trustpoint using no interactive mode; intended for use by the device manager only. In
this case, if there is no fingerprint, the ASA accepts the certificate without question.
|
trustpoint
|
Specifies the trustpoint from which to obtain the CA certificate. The maximum name length is 128 characters.
|
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
|
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
Global Configuration
|
|
|
|
|
—
|
Command History
Release
|
Modification
|
7.0(1)
|
This command was added.
|
9.16(1)
|
The allow-untrusted-connection keyword was introduced to ignore EST server certificate validation failure.
|
9.23(1)
|
Support to add ACME CA certificate was added.
|
Usage Guidelines
Use the crypto ca authenticate command to add a CA certificate to a trustpoint in the ASA configuration. When configured, the certificate is considered
trusted.
If the trustpoint is configured for SCEP enrollment, the CA certificate is downloaded through SCEP. If not, the ASA prompts
you to paste the base-64 formatted CA certificate into the terminal.
The allow-untrusted-connection keyword can be used to allow the ASA to ignore server certificate validation failure for EST trustpoints.
The invocations of this command do not become part of the running configuration.
Examples
The following example shows the ASA requesting the certificate of the CA. The CA sends its certificate and the ASA prompts
the administrator to verify the certificate of the CA by checking the CA certificate fingerprint. The ASA administrator should
verify the fingerprint value displayed with a known, correct value. If the fingerprint displayed by the ASA matches the correct
value, you should accept the certificate as valid.
ciscoasa(config)# crypto ca authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y
#
ciscoasa(config)#
The following example shows the trustpoint tp9 configured for terminal-based (manual) enrollment. The ASA prompts the administrator
to paste the CA certificate into the terminal. After displaying the fingerprint of the certificate, the ASA prompts the administrator
to confirm that the certificate should be retained.
ciscoasa(config)# crypto ca authenticate tp9
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
MIIDjjCCAvegAwIBAgIQejIaQ3SJRIBMHcvDdgOsKTANBgkqhkiG9w0BAQUFADBA
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExETAPBgNVBAcTCEZyYW5rbGluMREw
DwYDVQQDEwhCcmlhbnNDQTAeFw0wMjEwMTcxODE5MTJaFw0wNjEwMjQxOTU3MDha
MEAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTERMA8GA1UEBxMIRnJhbmtsaW4x
ETAPBgNVBAMTCEJyaWFuc0NBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd
jXEPvNnkZD1bKzahbTHuRot1T8KRUbCP5aWKfqViKJENzI2GnAheArazsAcc4Eaz
LDnpuyyqa0j5LA3MI577MoN1/nll018fbpqOf9eVDPJDkYTvtZ/X3vJgnEjTOWyz
T0pXxhdU1b/jgqVE74OvKBzU7A2yoQ2hMYzwVbGkewIDAQABo4IBhzCCAYMwEwYJ
KwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFBHr3holowFDmniI3FBwKpSEucdtMIIBGwYDVR0fBIIBEjCCAQ4w
gcaggcOggcCGgb1sZGFwOi8vL0NOPUJyaWFuc0NBLENOPWJyaWFuLXcyay1zdnIs
Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9YnJpYW5wZGMsREM9YmRzLERDPWNvbT9jZXJ0aWZp
Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Y2xhc3M9Y1JMRGlzdHJpYnV0
aW9uUG9pbnQwQ6BBoD+GPWh0dHA6Ly9icmlhbi13Mmstc3ZyLmJyaWFucGRjLmJk
cy5jb20vQ2VydEVucm9sbC9CcmlhbnNDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEw
DQYJKoZIhvcNAQEFBQADgYEAdLhc4Za3AbMjRq66xH1qJWxKUzd4nE9wOrhGgA1r
j4B/Hv2K1gUie34xGqu9OpwqvJgp/vCU12Ciykb1YdSDy/PxN4KtR9Xd1JDQMbu5
f20AYqCG5vpPWavCgmgTLcdwKa3ps1YSWGkhWmScHHSiGg1a3tevYVwhHNPA4mWo
7sQ=
Certificate has the following attributes:
Fingerprint: 21B598D5 4A81F3E5 0B24D12E 3F89C2E4
% Do you accept this certificate? [yes/no]:
yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
ciscoasa(config)#
Examples
The following example shows successful certification validation when an EST trustpoint is configured without using allow-untrusted-connection and nointeractive keywords. After displaying the fingerprint of the certificate, the ASA prompts the administrator to confirm that the certificate
should be retained:
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP
TLS Connection to EST server https://est-server.example.com:8443 validated successfully by trust anchor.
INFO: Certificate has the following attributes:
Fingerprint: a76027e8 0518a06c d0710845 b104303d
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
The following example shows successful certification validation when an EST trustpoint is configured with nointeractive keyword. After displaying the fingerprint of the certificate, the ASA does not prompt the administrator to confirm that the
certificate should be retained:
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP nointeractive
TLS Connection to EST server https://est-server.example.com:8443 validated successfully by trust anchor.
INFO: Certificate has the following attributes:
Fingerprint: a76027e8 0518a06c d0710845 b104303d
Trustpoint CA certificate accepted.
The following example shows successful certification validation when an EST trustpoint is configured with allow-untrusted-connection . After displaying the fingerprint of the certificate, the ASA prompts the administrator to confirm that the certificate should
be retained:
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP allow-untrusted-connection
TLS Connection to EST server https://est-server.example.com:8443 validated successfully by trust anchor.
INFO: Certificate has the following attributes:
Fingerprint: a76027e8 0518a06c d0710845 b104303d
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
The following example shows successful certification validation when an EST trustpoint is configured with allow-untrusted-connection and nointeractive keywords. After displaying the fingerprint of the certificate, the ASA does not prompt the administrator to confirm that
the certificate should be retained:
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP allow-untrusted-connection nointeractive
TLS Connection to EST server https://est-server.example.com:8443 validated successfully by trust anchor.
INFO: Certificate has the following attributes:
Fingerprint: a76027e8 0518a06c d0710845 b104303d
Trustpoint CA certificate accepted.
The following example shows failed certification validation when an EST trustpoint is configured without using allow-untrusted-connection and nointeractive keywords. ASA prompts the administrator to confirm if the TLS server certificate validation should be bypassed. If it is
bypassed, the fingerprint of the certificate is displayed and the ASA prompts the administrator to confirm that the certificate
should be retained:
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP
TLS Connection to EST server https://est-server.example.com:8443 could not be validated.
Bypass TLS server certificate validation: [yes/no]: yes
INFO: Certificate has the following attributes:
Fingerprint: a76027e8 0518a06c d0710845 b104303d
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
The following example shows failed certification validation when an EST trustpoint is configured with nointeractive keyword.
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP nointeractive
TLS Connection to EST server https://est-server.example.com:8443 could not be validated.
ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0
asa(config-ca-trustpoint)#
The following example shows failed certification validation when an EST trustpoint is configured with allow-untrusted-connection keyword. ASA bypasses the TLS server certificate validation. After displaying the fingerprint of the certificate, the ASA
prompts the administrator to confirm that the certificate should be retained:
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP allow-untrusted-connection
TLS Connection to EST server https://est-server.example.com:8443 could not be validated.
INFO: Certificate has the following attributes:
Fingerprint: a76027e8 0518a06c d0710845 b104303d
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
The following example shows failed certification validation when an EST trustpoint is configured with allow-untrusted-connection and nointeractive keywords. ASA bypasses the TLS server certificate validation. After displaying the fingerprint of the certificate, the ASA
does not prompt the administrator to confirm that the certificate should be retained:
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP allow-untrusted-connection nointeractive
TLS Connection to EST server https://est-server.example.com:8443 could not be validated.
INFO: Certificate has the following attributes:
Fingerprint: a76027e8 0518a06c d0710845 b104303d
Trustpoint CA certificate accepted.
The following example shows failed certification validation when there is a fingerprint mismatch:
asa(config-ca-trustpoint)# crypto ca authenticate EST_TP fingerprint 87654321 1212121212 11111111 12345678
INFO: Certificate has the following attributes:
Fingerprint: a76027e8 0518a06c d0710845 b104303d
Fingerprint mismatch
Trustpoint CA certificate NOT accepted.
Examples
The following example shows how to use the crypto ca authenticate command to add an ACME CA certificate to the trustpoint. This command is optional when trust is already established for the
signing path of the certificate to be issued.
ciscoasa(config)# crypto ca authenticate my_acme_tp
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<----snipped--->
-----END CERTIFICATE-----
quit
INFO: Certificate has the following attributes:
Fingerprint: 7e589f83 386c48fa 740bcfeb b7643dba
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Ciscoasa(config)#