I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.
Same configuration does not work with ASA 8.0 I get error
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Found a suitable authenticated trustpoint CA1.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage
CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve
revocation status if necessary
ERROR: Certificate validation failed. Peer certificate key usage is invalid, ser
ial number: 250F3ECE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=
CRYPTO_PKI: Certificate not validated
Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
The CA enrollement is terminal.
The cert needs to have the Digital Signature key usage set.
Not sure what templates are available on MS CA, but it should be something like "Ipsec user" I suppose.
To make ASA 8 behave the same as ASA 7 (i.e. disable th check on the cert's key usage), configure:
crypto ca trustpoint