Guest

Preview Tool

Cisco Bug: CSCuw33918 - ASA PKI ECDSA Pending terminal enrollment even though cert enrolled

Last Modified

Jun 28, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.4(1) 9.5(1)

Description (partial)

Symptom:
After importing the signed identity certificate the "show crypto ca certificates" show the new certificate, but still there is the state "Status: Pending terminal enrollment":

show crypto ca certificates

Certificate
  Status: Available
  Certificate Serial Number: 04
  Certificate Usage: Signature
  Public Key Type: ECDSA (384 bits)
  Signature Algorithm: SHA384 with ECDSA Encryption
  Issuer Name: 
    cn=SUB-ECDSA-384
    dc=lab
    dc=local
  Subject Name:
    cn=ASA
    dc=lab
    dc=local
  Validity Date: 
    start date: 14:13:00 CEST Sep 21 2015
    end   date: 14:13:00 CEST Sep 21 2016
  Associated Trustpoints: ASA-ecdsa 

...

Certificate
  Subject Name:
    Name: ASA.lab.local
  Status: Pending terminal enrollment
  Key Usage: General Purpose
  Fingerprint:  38cfe9e2 cc1c8948 95428e3f 78044b8f 
  Associated Trustpoint: ASA-ecdsa 


Only reload will remove the state.

This is a cosmetic defect.

Conditions:
RSA key RootCA
ECDSA key SubCA
ECDSA key identity

The identity certificate and subca certificates are in one trustpoint.

E.G.:

1. Root CA trustpoint is created and authenticated.
2. Identity trustpoint is created and authenticated.
3. Identity certificate is enrolled.
4. Signed identity certificate is imported.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.