Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1294
Views
0
Helpful
3
Replies

Anyconnect certificate based authentication error 1838

Chewbakka1
Level 1
Level 1

‎02-03-2019 03:42 AM - edited ‎02-21-2020 08:44 AM

Hi,

 

In an attempt to setup Anyconnect to authenticate users by certificates instead of the more common username/password based

authentication, i have created my own CA and issued:

  • The root certificate
  • The ASA identity certificate
  • The client(pc) device certificate

Both the Asa and the Client certificate are signed by, and correctly verifies against the root certificate.

In the identity cert for the Asa i have set the CN= to its outside ip address, as it does not have a fqdn set.

The client certificate also has it's CN= corresponding to its public ip

 

When attempting to connect to the vpn-gateway(Asa) from the client pc, the debug output looks like this:

CRYPTO_PKI:check_key_usage: KeyUsage extension not found.
CRYPTO_PKI: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2 acceptable for usage type: SSL VPN Peer
CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Failed, status: 1838CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1838
CRYPTO_PKI: PKI Verify Certificate error. No trust point found.
CRYPTO_PKI: Certificate not validated
CERT_API: calling user callback=0x00007f9163cd4a70 with status=15(Verification Failure)

 

I have also tried setting 'revocation-check none' under the trustpoint, without any result.

Any idea what i am missing?

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎02-03-2019 04:13 AM

Hi,

What is your ASA configuration in regard to the trustpoint and remote access VPN? Do you have the following configured?

 

ssl trust-point LAB_PKI OUTSIDE

crypto ikev2 remote-access trustpoint LAB_PKI

 

This reference describes how to use certificate authentication with AnyConnect RAVPN.

 

HTH

0 Helpful

Marius Gunnerud
VIP
VIP

‎02-03-2019 11:23 AM

try re-importing your CA certificate.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Chewbakka1
Level 1
Level 1
In response to Marius Gunnerud

‎02-03-2019 01:59 PM

My suspicion here is that Anyconnect barfs on the cn= being an ip address....

Let me know if this really is the case.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card