I've got an authgroup set up to authenticate Client Certs in inbound SSL connections. Initially the authgroup had one CA certificate from each of our RSA and MSFT CAs and all was well. Well for some reason the MSFT admin reissued his CA cert and started signing new clients. Once they noticed the new certs didn't work through the ACE, they asked me to upload the new MSFT CA cert. So I did and added it to the authgroup. However new Client Certs still didn't work. I noticed the authrgoup listed the new MSFT CA Cert last, so I temporarily removed the older CA MSFT CA Cert from the authgroup and then the new Client certs validate. But if I put the older MSFT CA Cert back in the authgroup (as it's still required) it goes back ahead of the newer one and the new Client Certs start failing again. So it seems like the fact that the two MSFT CA Certs have the same Subject might be fouling up the authentication, with the search through the authgroup possibly terminating at the first Subject match.
Anyone know if this is the case and if there's a way around it?
I'm running A2(3.6a) on an ACE20 in a 6500 whose sup is running 12.2(33) SXI11.