Hi,
I am getting certificate validation error when connecting anyconnect
Below is the information .
I have root ca and sub ca (microsoft internal ) ,
So i added both certificates under device management ->ca certificates (Two differnect trust points )
ROOT-CA
sh crypto ca certificates CA Certificate Status: Available Certificate Serial Number: 29axxxxxxxxxxxxxxxxx Certificate Usage: Signature Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=RootCa dc=testdom dc=local Subject Name: cn=RootCa dc=testdom dc=local Validity Date: start date: 15:35:11 UTC Dec 24 2008 end date: 15:29:35 UTC Jan 15 2019 Associated Trustpoints: ASDM_TrustPoint3------------------------------ROOT-CA
IDENTITY CERTIFICATE
The best interactive map for Conan Exiles out there. Contribute to the project. Join the conversation. The CEMap Discord has areas to hangout and chat, report locations to add to the map, and talk to the developers. Our project is public on Github. Feel free to contribute to the project, make suggestions. Conan exiles best base locations 2019. Best Base Locations in Conan Exiles Below The Cursed Way. This locations is a great starting one. Located at the base of The Cursed Way structure, you need to climb over rocks to access it. What’s good about this location is that no one thinks to check to see if a base is there.
Certificate
Status: Available Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA512 with RSA Encryption Issuer Name: cn=testdom-INTCA dc=testdom dc=local Subject Name: cn=testdom-Internet-FW CRL Distribution Points: [1] ldap:///CN=testdom-INTCA,CN=CERSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint [2] http://CERSRV.testdom.local/CertEnroll/testdom-INTCA.crl Validity Date: start date: 11:33:48 UTC Apr 18 2017 end date: 15:29:35 UTC Jan 15 2019 Associated Trustpoints: ASDM_TrustPoint2------identity certificate
-SUBORDINATE CA
CA Certificate Status: Available Certificate Serial Number: 1bxxxxxxxxxxxxxxxxx Certificate Usage: Signature Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=RootCa dc=testdom dc=local Subject Name: cn=testdom-INTCA dc=testdom dc=local CRL Distribution Points: [1] ldap:///CN=RootCa,CN=AD02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdom,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Validity Date: start date: 16:04:06 UTC Jan 30 2017 end date: 15:29:35 UTC Jan 15 2019 Associated Trustpoints: ASDM_TrustPoint1-------------------SUBORDINATE CA
IDENTITY CERTIFICAT'S EKU set to Server Authentication (1.3.6.1.5.5.7.3.1)
and the user certificate eku set to client authentication
show crypto ca trustpoints
Trustpoint _SmartCallHome_ServerCA:
Not authenticated. Trustpoint ASDM_TrustPoint0: Not authenticated. Trustpoint ASDM_TrustPoint1: Subject Name: cn=testdom-INTCA dc=testdom dc=local Serial Number: 15xxxxxxxxxxxxxxxxxxx Certificate configured. Trustpoint ASDM_TrustPoint2: Not authenticated. (Q. Why it is not authenticated ? )
Trustpoint ASDM_TrustPoint3:
Subject Name: cn=RootCa dc=testdom dc=local Serial Number: 29xxxxxxxxxxxxxxxx Certificate configured.
tunnel-group test webvpn-attributes
authentication aaa certificate
I have split domain testdom.local and testdom.com
so the user principal name is [email protected] (not [email protected] ) the certificate cn is [email protected]
Thanks
I have remote VPN set up on ASA 5505 9.0(1), device manager 7.0.(2).
Client authentication is set up on certificates only, smart card based.
The ASA has been installed both the root CA and intermediate CA certificates. Client cert, interme cert and root cert are all in chain.
However dialing the VPN a client gets an error on Anyconnect: Certificate Validation Failure. Scale of the nine hells neverwinter game.
Certificate Validation Error Cisco Anyconnect Mac
ASDM validates the intermediate CA cert, but fails at validating the client cert:
PIC http://www.upload.ee/image/2886875/asdmlogfail.gif
Note that where the error occurs- on a successful authentication, instead of the error there would be a record about the Clients certificate's credentials (when not authenticating with a smart card).
Looking at the ASA debugging everything goes smooth until a weird error pops:
CRYPTO_PKI(make trustedCerts list)
Eset nod32 antivirus 9 license key 2019 trial. CRYPTO_PKI: Found suitable tpCRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Failed, status: 1823CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1823
Certificate Validation Failure Cisco Anyconnect Password
CRYPTO_PKI: PKI Verify Certificate error. No trust point found.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate not validated
Certificate Validation Failure Cisco Anyconnect 4.4
CRYPTO_PKI: Invalid cert.
error 1823 doesnt take me anywhere on google. CRL checking is disabled, all certs are valid. If you need to see a full log then i can give it.
thanks!
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |