ASA Error for Unknown Certificate

DStringfield — Mon, 22 Jun 2020 02:20:30 GMT

Hi all,

I recently renewed some SSL Certs for my ASA5506x devices. I am now getting an error (repeatedly) which claims that the verification of a cert chain is failing. However I cannot for the life of me find the certificate that it is referencing.

The error as it appears in the logs is here:

%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 0509, subject name: cn=QuoVadis Root CA 2,o=QuoVadis Limited,c=BM, issuer name: cn=QuoVadis Root CA 2,o=QuoVadis Limited,c=BM .
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 7517167783D0437EB556C357946E4563B8EBD3AC, subject name: cn=HydrantID SSL ICA G2,o=HydrantID (Avalanche Cloud Corporation),c=US, issuer name: cn=QuoVadis Root CA 2,o=QuoVadis Limited,c=BM .
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 3000683B0F7504F7B244B3EA7FC00927E960D735, subject name: cn=tools.cisco.com,o=Cisco Systems\, Inc.,l=San Jose,st=CA,c=US, issuer name: cn=HydrantID SSL ICA G2,o=HydrantID (Avalanche Cloud Corporation),c=US .
%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to validate chain.

Using the CLI to find all the certs gives this result (sanitised slightly)

Result of the command: "show crypto ca certificate"

Certificate
  Status: Available
  Certificate Serial Number: 08ad6b3eddbe00d59a801a9b3f57c3b5
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name: 
    cn=DigiCert SHA2 Secure Server CA
    o=DigiCert Inc
    c=US
  Subject Name:
    cn=*.mydomain.com
    o=Company
    l=city
    st=state
    c=AU
  OCSP AIA: 
    URL: http://ocsp.digicert.com
  CRL Distribution Points: 
    [1]  http://crl3.digicert.com/ssca-sha2-g6.crl
    [2]  http://crl4.digicert.com/ssca-sha2-g6.crl
  Validity Date: 
    start date: 10:00:00 EST Jun 19 2020
    end   date: 22:00:00 EST Jul 29 2022
  Storage: config
  Associated Trustpoints: 2020_renewal_01 

Certificate
  Status: Available
  Certificate Serial Number: 0ed637ed96cd9eac13e0bf319a9d338b
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name: 
    cn=DigiCert SHA2 Secure Server CA
    o=DigiCert Inc
    c=US
  Subject Name:
    cn=*.mydomain.com
    o=Company
    l=city
    st=state
    c=AU
  OCSP AIA: 
    URL: http://ocsp.digicert.com
  CRL Distribution Points: 
    [1]  http://crl3.digicert.com/ssca-sha2-g6.crl
    [2]  http://crl4.digicert.com/ssca-sha2-g6.crl
  Validity Date: 
    start date: 10:00:00 EST May 15 2018
    end   date: 22:00:00 EST Jun 24 2020
  Storage: config
  Associated Trustpoints: ASDM_TrustPoint10 

Certificate
  Status: Available
  Certificate Serial Number: 079992f6d6a4b6d5f770f0cca02be1d6
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name: 
    cn=DigiCert SHA2 Secure Server CA
    o=DigiCert Inc
    c=US
  Subject Name:
    cn=*.mydomain.com
    o=Company
    l=location
    st=state
    c=AU
  OCSP AIA: 
    URL: http://ocsp.digicert.com
  CRL Distribution Points: 
    [1]  http://crl3.digicert.com/ssca-sha2-g6.crl
    [2]  http://crl4.digicert.com/ssca-sha2-g6.crl
  Validity Date: 
    start date: 11:00:00 EDT Feb 20 2018
    end   date: 22:00:00 EST May 30 2018
  Storage: config
  Associated Trustpoints: ASDM_TrustPoint5 

CA Certificate
  Status: Available
  Certificate Serial Number: 083be056904246b1a1756ac95991c74a
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name: 
    cn=DigiCert Global Root CA
    ou=www.digicert.com
    o=DigiCert Inc
    c=US
  Subject Name: 
    cn=DigiCert Global Root CA
    ou=www.digicert.com
    o=DigiCert Inc
    c=US
  Validity Date: 
    start date: 11:00:00 EDT Nov 10 2006
    end   date: 11:00:00 EDT Nov 10 2031
  Storage: config
  Associated Trustpoints: ASDM_TrustPoint11 ASDM_TrustPoint1 

CA Certificate
  Status: Available
  Certificate Serial Number: 01fda3eb6eca75c888438b724bcfbc91
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name: 
    cn=DigiCert Global Root CA
    ou=www.digicert.com
    o=DigiCert Inc
    c=US
  Subject Name: 
    cn=DigiCert SHA2 Secure Server CA
    o=DigiCert Inc
    c=US
  OCSP AIA: 
    URL: http://ocsp.digicert.com
  CRL Distribution Points: 
    [1]  http://crl3.digicert.com/DigiCertGlobalRootCA.crl
    [2]  http://crl4.digicert.com/DigiCertGlobalRootCA.crl
  Validity Date: 
    start date: 23:00:00 EDT Mar 8 2013
    end   date: 23:00:00 EDT Mar 8 2023
  Storage: config
  Associated Trustpoints: 2020_renwal ASDM_TrustPoint7 ASDM_TrustPoint10 ASDM_TrustPoint9 ASDM_TrustPoint0 

CA Certificate
  Status: Available
  Certificate Serial Number: 6ecc7aa5a7032009b8cebcf4e952d491
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name: 
    cn=VeriSign Class 3 Public Primary Certification Authority - G5
    ou=(c) 2006 VeriSign\, Inc. - For authorized use only
    ou=VeriSign Trust Network
    o=VeriSign\, Inc.
    c=US
  Subject Name: 
    cn=VeriSign Class 3 Secure Server CA - G3
    ou=Terms of use at https://www.verisign.com/rpa (c)10
    ou=VeriSign Trust Network
    o=VeriSign\, Inc.
    c=US
  OCSP AIA: 
    URL: http://ocsp.verisign.com
  CRL Distribution Points: 
    [1]  http://crl.verisign.com/pca3-g5.crl
  Validity Date: 
    start date: 11:00:00 EDT Feb 8 2010
    end   date: 10:59:59 EDT Feb 8 2020
  Storage: config
  Associated Trustpoints: _SmartCallHome_ServerCA

You will hopefully agree that the certificate it's complaining about above is not listed, hence my confusion.

Thanks!

Re: ASA Error for Unknown Certificate

Marvin Rhoads — Mon, 22 Jun 2020 06:21:12 GMT

I suspect smart call-home has been enabled.That happens via https and requires you trust the Cisco certificate and its issuing and root CA.

Your errors include a failure to trust

tools.cisco.com

...and the issuing and root certificate above it. You can either disable SCH ("no service call-home") or add the necessary certificate and chain of trust. Details for the latter option can be found here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/monitor-smart-call-home.html#ID-2117-00000205

topic ASA Error for Unknown Certificate in Network Security

ASA Error for Unknown Certificate

Re: ASA Error for Unknown Certificate