Ask a Question

Generate a trustpoint on a CISCO ASA 5520


Generate a trustpoint on a CISCO ASA 5520


Before you can install a SSL certificate you need to configure a trustpoint, please perform the following steps:

Step 1: Create a trustpoint corresponding to the CA from which the security appliance needs to receive its certificate

hostname/contexta(config)# crypto ca trustpoint trustpoint


For example, to declare a trustpoint called Main:

hostname/contexta(config)# crypto ca trustpoint Main


Note: Upon entering this command, you enter the Crypto ca trustpoint configuration mode.


Step 2: Specify the enrollment method to be used with this trustpoint

To specify the enrollment method, do one of the following items:

To specify SCEP enrollment, use the enrollment url command to configure the URL to be used for SCEP enrollment with the trustpoint you declared. For example, if the security appliance requests certificates from trustpoint Main using the URL, then the command would be as follows:

hostname/contexta(config-ca-trustpoint)# enrollment url

To specify manual enrollment, use the enrollment terminal command to indicate that you will paste the certificate received from the CA into the terminal.


Step 3: Specify other characteristics for the trustpoint 

The characteristics you need to define depend upon your CA and its configuration. You can specify characteristics for the trustpoint using the following commands. Refer to the Cisco Security Appliance Command Reference for complete descriptions and usage guidelines of these commands.

crl required | optional | nocheck

Specifies CRL configuration options. When you enter the crl command with the optional keyword included within the command statement, certificates from peers can still be accepted by your security appliance even if the CRL is not accessible to your security appliance.


Step 4: Save the trustpoint configuration

To do so, save the running configuration by entering the write memory command.

Please see the following solution to install your certificate onto your CISCO ASA 5520: SO5089

Note: If you chose to enable required or optional CRL checking, be sure you configure the trustpoint for CRL managemen2t, which should be completed after you have obtained 

certificates. For details about configuring CRL management for a trustpoint, see the:

crl configure

Enters CRL configuration mode.

default enrollment

Returns all enrollment parameters to their system default values. Invocations of this command do not become part of the active configuration.

enrollment retry period (Optional) Specifies a retry period in minutes. This characteristic only applies if you are using SCEP enrollment.

enrollment retry count (Optional) Specifies a maximum number of permitted retries. This characteristic only applies if you are using SCEP enrollment.

enrollment terminal Specifies cut and paste enrollment with this trustpoint.

enrollment url URL Specifies automatic enrollment (SCEP) to enroll with this trustpoint and configures the enrollment URL.

fqdn fqdn During enrollment, asks the CA to include the specified fully qualified domain name in the Subject Alternative Name extension of the certificate.

email address During enrollment, asks the CA to include the specified email address in the Subject Alternative Name extension of the certificate.

subject-name X.500 name During enrollment, asks the CA to include the specified subject DN in the certificate.

serial-number Provided in the certificate.

ip-address ip-address During enrollment, asks the CA to include the IP address of the security appliance in the certificate.

password string Specifies a challenge phrase that is registered with the CA during enrollment. The CA typically uses this phrase to authenticate a subsequent revocation request.

keypair name Specifies the key pair whose public key is to be certified.

id-cert-issuer Indicates whether the system accepts peer certificates issued by the CA associated with this trustpoint.

accept-subordinates Indicates whether CA certificates subordinate to the CA associated with the trustpoint are accepted if delivered during phase one IKE exchange when not previously installed on the device.

support-user-cert-validation If enabled, the configuration settings to validate a remote user certificate can be taken from this trustpoint, provided that this trustpoint is authenticated to the CA that issued the remote certificate.

exit Leaves the mode.