Cisco Cisco ASA 5540 Adaptive Security Appliance 문제 해결 가이드

However, in the the previous syslogs, the ASA indicates that it gets a certificate from the Smart
Software Licensing Portal signed by an intermediate called "cn=Symantec Class 3 Secure Server
CA - G4".

Note: The subject names are similar, but have two differences; Verisign vs. Symantec at the
beginning and G3 vs. G4 at the end.

The ASAv needs to download a trustpool that contains the proper intermediate and/or root
certificates in order to validate the chain.

In Version 9.5.2 and later, the ASAv has the trustpool configured to auto-import at 10:00 PM
device local time:

ASAv# sh run crypto ca trustpool

crypto ca trustpool policy

auto-import

ASAv# sh run all crypto ca trustpool

crypto ca trustpool policy

revocation-check none

crl cache-time 60

crl enforcenextupdate

auto-import

auto-import url http://www.cisco.com/security/pki/trs/ios_core.p7b

auto-import time 22:00:00

If this is an initial installation, and Domain Name System (DNS) lookups and Internet connectivity
have not been up at that time yet, then the auto-import has not succeeded and needs to be
completed manually.

On older versions, such as 9.4.x, the trustpool auto-import is not configured on the device and
needs to be imported manually.

On any version, this command imports the trustpool and relevant certificates:

ASAv# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b

Root file signature verified.

You are about to update the current trusted certificate pool

with the 17145 byte file at http://www.cisco.com/security/pki/trs/ios_core.p7b

Do you want to continue? (y/n)

Trustpool import:

   attempted:  14

   installed:  14

   duplicates: 0

   expired:    0

   failed:     0

Once the trustpool is imported either by the manual command, or by waiting until after 10:00 PM
local time, this command verifies that there are installed certificates in the trustpool:

ASAv# show crypto ca trustpool policy

Trustpool auto import statistics: