Re: SSL Using Certificates for Authentication

tomek0001 · ‎02-25-2008

Hi,

I"m trying to setup the anyconnect client to use certificate authentication with asa 5510 running 8.0.

I would like to use windows CA to get signed certificates that could be used to authenticate the asa. The anyconnect client should have certs from windows domain that would match the root cert of signed asa.

Has anyone done a similar thing and would be able to provide me with some links or config samples.

I have SCEP working with the asa but don' can't seem to use that certificate for ssl, not sure why.

Thanks for any help in advance.

skhan · ‎05-07-2009

Hi Tom,

Were you able to resolve. This would appreciate a sample config ? I am also trying to get it working with Windows CA

Todd Pula · ‎05-08-2009

You can use the following doc as a guide as the majority of the configuration will be the same. Please let me know what specific issues you are running into.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a2b93.shtml

skhan · ‎05-08-2009

I am using digital cert from Microsoft CA for machine authentication and the idea is if the machine cert is revoked the user should not be allowed to login. I get the following error

"certificate validation failure"

Any thoughts on troubleshooting or fixing is greatly appreciated. Secondly for machine authentication, the CA Server and the AD is on the LAN. Attached is also the design config.

I did look at multiple documents including this one, but will check this one again.

skhan · ‎05-13-2009

I am still getting certificate validation failure

CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=

12 7f 74 fe e6 d0 16 57 7d cd d7 78 ff da 61 ed | t....W}..x..a.

CRYPTO_PKI: Found cert in database.

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=

e5 40 0d f7 29 f3 4c 15 f1 68 1d 17 4f f2 c6 e2 | .@..).L..h..O...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Found a suitable authenticated trustpoint Main.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2

CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable

CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found

CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary

ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 741EA925000100001F46, subject name: ea=xx CRYPTO_PKI: Certificate not validated

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=

12 7f 74 fe e6 d0 16 57 7d cd d7 78 ff da 61 ed | t....W}..x..a.

CRYPTO_PKI: Found cert in database.

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=

e5 40 0d f7 29 f3 4c 15 f1 68 1d 17 4f f2 c6 e2 | .@..).L..h..O...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

The certificate is not getting automatically delivered via ASA from the MS-CA and therefore cannot import in the personal store.

jesrobbie · ‎08-17-2009

I am looking at a very similar project. Did you resolve this?