Certificate Validation on CUBE when installing CA signed and Trust certificates

neil.2.clark · ‎12-14-2016

Hello,

Have a bit of an odd question here, there is an ongoing TAC case for this but putting it out there to see if anyone else has experienced the issue.

Essentially setting up a CUBE in preparation for an encrypted connection through a partner CUCM instance from our own CUCM instance. Our environment requires that we utilise name constraints on our CA's to limit the address space among other things, these are injected by the root ca prior to issuing the Sub CA certificate.

Configuration is broadly thus

2 TIER PKI with all signing done by 3rd party CA (in BASE64 Terminal copy & paste) not via the CISCO IOS CA.

Trustpoint1 (SUB CA & CUBE Certificate)

Trustpoint2 (Root CA)

Trustpoint3 (Partner CA)

At this point all three trustpoints have been authenticated in the following order, SUB,ROOT,Partnet

When using a SUB CA certificate with Name constraints applied the whole validation process fails when attempting the "Crypto PKI import SUB Certificate command" generating the following error.

*Dec 9 13:17:01.901: CRYPTO_PKI: make trustedCerts list for CS2_CWAY_CUBE1
*Dec 9 13:17:01.901: CRYPTO_PKI: subject="cn=Servicename Issuing CA1,ou=AAAA,ou=BB,o=CCC CCCCCCC,c=GB" serial number=
73 00 00 00 17 C4 3B 23 E1 FE 76 CE BE 00 01 00
00 00 17

*Dec 9 13:17:01.903: PKI:get_cert CS2_CWAY_CUBE1 0x10 (expired=0):
*Dec 9 13:17:01.905: CRYPTO_PKI: Deleting cached key having key id 4
*Dec 9 13:17:01.905: CRYPTO_PKI: Attempting to insert the peer's public key into cache
*Dec 9 13:17:01.905: CRYPTO_PKI:Peer's public inserted successfully with key id 5
*Dec 9 13:17:01.905: CRYPTO_PKI: Expiring peer's cached key with key id 5
*Dec 9 13:17:01.907: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(2807) : E_NOT_VALIDATED : validation process failed (reason: 9)
*Dec 9 13:17:01.907: CRYPTO_PKI: status = 0x751(E_NOT_VALIDATED : validation process failed (reason: %n0)): failed to verify or insert the cert into storage

(Note: the Subject information has been modified as it's not a public certificate

However if I renew the SUB CA certificate without injecting the name constraints all trustpoints authenticate successfully and the CUBE certificate is imported successfully.

It's pretty clear that the processing of the name constraints is the issue but as I can't feasibly remove them I need some manner of workaround for the CUBE.

Appreciate the use of name constraints is less than common but hoping someone else has come across this issue and managed to resolve it.

Many Thanks,

Neil

neil.2.clark · ‎12-30-2016

In the interests of this potentially helping someone else out, During discussions with CISCO TAC and other specialists it seems that the CUBE is unable to validate CA certificates with Naming constraints applied. My own testing has proven that it is the constraints in the CA certificate that cause the issue and TAC have now replicated the Issue.

However I should note that I've not had formal acknowledgement that it isn't supported it. This is of interest as it would appear to be a function in the underlying PKI function within Cisco IOS. At this stage if you're looking to secure your cisco estate with certificates I'd avoid using name constraints if possible.

Regards,

Neil

neil.2.clark · ‎01-04-2017

This bug has now been added to the following enhancement request.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc63666

Neil

corycandia · ‎10-19-2023

@neil.2.clark

If you're still around, I am curious if you guys ever got a fix other than using a CA without any constraints in the chain?

I think I am getting the same issue, and recreating a CA root cert and everything below is not really an option.