Certificates for IPSEC vpn clients in ASA 8.0

Answered Question
Mar 11th, 2008
User Badges:

Hello!


I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.


Same configuration does not work with ASA 8.0 I get error


CRYPTO_PKI: Checking to see if an identical cert is

already in the database...


CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=

b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....


CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.


CRYPTO_PKI: Looking for suitable trustpoints...


CRYPTO_PKI: Found a suitable authenticated trustpoint CA1.


CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage

(40)


CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve

revocation status if necessary


ERROR: Certificate validation failed. Peer certificate key usage is invalid, ser

ial number: 250F3ECE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=

xx


CRYPTO_PKI: Certificate not validated



Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?


The CA enrollement is terminal.


THANKS!



Correct Answer by Herbert Baerten about 9 years 2 weeks ago

The cert needs to have the Digital Signature key usage set.

Not sure what templates are available on MS CA, but it should be something like "Ipsec user" I suppose.


To make ASA 8 behave the same as ASA 7 (i.e. disable th check on the cert's key usage), configure:


crypto ca trustpoint

ignore-ipsec-keyusage



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (4 ratings)
Loading.
Correct Answer
Herbert Baerten Wed, 03/12/2008 - 15:27
User Badges:
  • Cisco Employee,

The cert needs to have the Digital Signature key usage set.

Not sure what templates are available on MS CA, but it should be something like "Ipsec user" I suppose.


To make ASA 8 behave the same as ASA 7 (i.e. disable th check on the cert's key usage), configure:


crypto ca trustpoint

ignore-ipsec-keyusage



fisko Thu, 03/13/2008 - 00:45
User Badges:

THANKS!

It is working whit this options!


I also found that "USER" certificate template in MS CA is correct when ipsec-keyusage is turned on!


THNAKS!

sam mackenzie Thu, 02/09/2012 - 05:59
User Badges:

Fantastic, fixed my issue with an upgrade and MS CA also
Thanks a lot!

Sam    

Actions

This Discussion