Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL Using Certificates for Authentication

Hi,

I"m trying to setup the anyconnect client to use certificate authentication with asa 5510 running 8.0.

I would like to use windows CA to get signed certificates that could be used to authenticate the asa. The anyconnect client should have certs from windows domain that would match the root cert of signed asa.

Has anyone done a similar thing and would be able to provide me with some links or config samples.

I have SCEP working with the asa but don' can't seem to use that certificate for ssl, not sure why.

Thanks for any help in advance.

5 REPLIES
New Member

Re: SSL Using Certificates for Authentication

Hi Tom,

Were you able to resolve. This would appreciate a sample config ? I am also trying to get it working with Windows CA

Re: SSL Using Certificates for Authentication

You can use the following doc as a guide as the majority of the configuration will be the same. Please let me know what specific issues you are running into.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a2b93.shtml

New Member

Re: SSL Using Certificates for Authentication

I am using digital cert from Microsoft CA for machine authentication and the idea is if the machine cert is revoked the user should not be allowed to login. I get the following error

"certificate validation failure"

Any thoughts on troubleshooting or fixing is greatly appreciated. Secondly for machine authentication, the CA Server and the AD is on the LAN. Attached is also the design config.

I did look at multiple documents including this one, but will check this one again.

New Member

Re: SSL Using Certificates for Authentication

I am still getting certificate validation failure

CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=

12 7f 74 fe e6 d0 16 57 7d cd d7 78 ff da 61 ed | t....W}..x..a.

CRYPTO_PKI: Found cert in database.

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=

e5 40 0d f7 29 f3 4c 15 f1 68 1d 17 4f f2 c6 e2 | .@..).L..h..O...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Found a suitable authenticated trustpoint Main.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2

CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable

CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found

CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary

ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 741EA925000100001F46, subject name: ea=xx CRYPTO_PKI: Certificate not validated

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=

12 7f 74 fe e6 d0 16 57 7d cd d7 78 ff da 61 ed | t....W}..x..a.

CRYPTO_PKI: Found cert in database.

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI: looking for cert in handle=cc3c95e0, digest=

e5 40 0d f7 29 f3 4c 15 f1 68 1d 17 4f f2 c6 e2 | .@..).L..h..O...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

The certificate is not getting automatically delivered via ASA from the MS-CA and therefore cannot import in the personal store.

New Member

Re: SSL Using Certificates for Authentication

I am looking at a very similar project. Did you resolve this?

666
Views
0
Helpful
5
Replies