Problem
When attempting to register a Cisco ASA via smart licensing, the following messages are displayed and as a result, licensing fails.
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to v alidate certificate serial number: 40016EFB0A205CFAEBE18F71D73ABB78, subject nam e: cn=HydrantID Server CA O1,ou=HydrantID Trusted Certificate Service,o=IdenTrus t,c=US, issuer name: cn=IdenTrust Commercial Root CA 1,o=IdenTrust,c=US .
%ASA-7-717029: Identified client certificate within certificate chain. serial nu mber: 40017E745D7448BB2EF502BD06330058, subject name: c=US,st=California,l=San J ose,o=Cisco Systems Inc.,cn=tools.cisco.com.
%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was f ound to validate chain.
%ASA-7-725014: SSL lib error. Function: ssl3_get_server_certificate Reason: cert ificate verify failed
%ASA-4-120006: Call-Home license message to https://tools.cisco.com/its/service/ oddce/services/DDCEService failed. Reason: CONNECT_FAILED
%ASA-4-120005: Call-Home license message to https://tools.cisco.com/its/service/ oddce/services/DDCEService was dropped. Reason: CONNECT_FAILED
%ASA-3-444303: %SMART_LIC-3-AGENT_REG_FAILED:Smart Agent for Licensing Registrat ion with Cisco licensing cloud failed: Communication message send error
%ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with Cisco licens ing cloud: Communication message send error
Root Cause
As per documentation, Cisco’s web servers were migrated to use a different root CA and therefore the certificates on the device are not valid.
Solution
Enter the following command to import the relevant certificates required to connect to the licensing portal and complete the license registration.
crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b