Solved: No SSL trust-points configured

james.king14 · ‎12-16-2015

Working on VPN and we are getting errors stating no TP found. Did a sh ssl/ sh run ssl and got weird information back but need help with understanding TP's

pjain2 · ‎12-16-2015

these logs are expected as you do not have the root cert to verify the certs that the client is sending:

CRYPTO_PKI: Verifying certificate with serial number: 039F, subject name: cn=DOD EMAIL CA-31,ou=PKI,ou=DoD,o=U.S. Government,c=US, issuer_name: cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US" serial number=03 9f                                              |  ..

CRYPTO_PKI: No suitable TP status.

for Eg. Make sure you have the root cert issued for: "cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US"

once you have configured the trauspoint, you need to bind it to the interface as well:
ssl trustpoint <name> <interface name>

also there are ldap errors:
[58] Simple authentication for admin12 returned code (49) Invalid credentials
[58] Failed to bind as administrator returned code (-1) Can't contact LDAP server

this means that the ASA is not able to bind to the LDAP server using the admin account; can you check the login password for the ldap server in the ASA's config.

View solution in original post

rvarelac · ‎12-16-2015

Hi James,

Basically a Trust-point is where the certificate is stored on the ASA.

The logs you are having

No SSL trust-points configured

Is because you don't have any trustpoint active for the SSL configuration. In order to enable the certificate for SSL you need to add the following command:

SSL trustpoint < TP_name> <interface_name>

Eg:

SSL trustpoint My_TP outside

Hope it helps

-Randy-

View solution in original post

pjain2 · ‎12-16-2015

these logs are expected as you do not have the root cert to verify the certs that the client is sending:

CRYPTO_PKI: Verifying certificate with serial number: 039F, subject name: cn=DOD EMAIL CA-31,ou=PKI,ou=DoD,o=U.S. Government,c=US, issuer_name: cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US" serial number=03 9f                                              |  ..

CRYPTO_PKI: No suitable TP status.

for Eg. Make sure you have the root cert issued for: "cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US"

once you have configured the trauspoint, you need to bind it to the interface as well:
ssl trustpoint <name> <interface name>

also there are ldap errors:
[58] Simple authentication for admin12 returned code (49) Invalid credentials
[58] Failed to bind as administrator returned code (-1) Can't contact LDAP server

this means that the ASA is not able to bind to the LDAP server using the admin account; can you check the login password for the ldap server in the ASA's config.

james.king14 · ‎12-17-2015

Thank you guys for the quick response on this issue.

I did change the password for the LDAP user and thank.

I tried the command and got a new error, "(config)# ssl trust-p ASDM_TrustPoint1 outside
ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again." I am not sure what to check next, we are trying to get a CA from DoD or Verisign.

Looking at other discussion on the support page. This happens when you create your CA on a Domain Controller and the “Domain Controllers” security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group. Yes, I did create the CA with a DC. Which is my TP1. Does this way of creating CA cause a lot of issues?

rvarelac · ‎12-17-2015

Hi James,

The certificate applied to the SSL trust point needs to be an identity certificate, not a CA certificate .

-Randy-

james.king14 · ‎12-18-2015

thank you Randy,

That was very helpful! I finally got it to work..WHEW!

I have but one more question, I and getting separate error that comes up on certain users.

CRYPTO_PKI: No Tunnel Group Match for peer certificate.

rvarelac · ‎12-16-2015

Hi James,

Basically a Trust-point is where the certificate is stored on the ASA.

The logs you are having

No SSL trust-points configured

Is because you don't have any trustpoint active for the SSL configuration. In order to enable the certificate for SSL you need to add the following command:

SSL trustpoint < TP_name> <interface_name>

Eg:

SSL trustpoint My_TP outside

Hope it helps

-Randy-

MJ666 · ‎03-08-2024

hi randy,
Im using asa5516. when sh run, I can't find any line with "no ssl trust-point <TP_name> <int_name>"
Is there anything wrong?
when i sh crypto ca certif Ive got every information

could you help?

MJ666 · ‎04-24-2024

Hi @rvarelac, few weeks ago, I had an issue on several ASA firewalls. The monitoring system was sending alarms regarding SSL sensor Certificate "Warning due to lookup value 'No' in channel 'Trusted root certification authority' - Warning due to lookup value 'Unable to check revocation status' in channel 'Revoked' (OK. Certificate Common Name:
CN=ASA Temporary Self Signed Certificate - Certificate Thumbprint:
0CEF476C7716448BAAA913123967E828203FFE86)"

On CSM, I noticed the trustpoint interface was missing and I added it. The warning then disappears only on several ASA.They all have the trustpoint interface enable.

Any clue?

MJ666 · ‎03-08-2024

hi randy,
Im using asa5516. when sh run, I can't find any line with "no ssl trust-point <TP_name> <int_name>"
Is there anything wrong?
when i sh crypto ca certif Ive got every information

could you help?