hello,

we have an asa5510 8.4(4)3 and a problem with a root-certificate from the company-owned-CA (I don't know the product, no MS-CA)

the output of sh crypto ca certificate:

CA Certificate

  Status: Available

  Certificate Serial Number: 4d1a825bfxxx

  Certificate Usage: General Purpose

  Public Key Type: RSA (4096 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    cn=Zertifizierungsstelle der xxx

    ou=XXX

    o=Bayerische xxx

    l=Muenchen

    st=Bayern

    c=DE

    ea=CA@company.de

  Subject Name:

    cn=Zertifizierungsstelle der Bayerischen company

    ou=BVK

    o=Bayerische company

    l=Muenchen

    st=Bayern

    c=DE

    ea=CA@company.de

  CRL Distribution Points:

    [1]  http://aaa.crl

    [2]  http://bbb.crl

    [3]  http://ccc.crl

  Validity Date:

    start date: 12:07:29 CEDT Jul 20 2011

    end   date: 12:13:50 CEDT Jul 19 2041

  Associated Trustpoints: TP-BVK-1

(some data removed or hidden)

a debug of "deb crypto ca 255; deb crypto ca messag 255; and deb crypto ca trans 255" shows following:

CERT-C: E ../cert-c/source/certobj.c(1295) : Error #72ah

CERT-C: E ../cert-c/source/certobj.c(719) : Error #72ah

CRYPTO_PKI: Failed to create name objects to compare cert DNs. status = 1834

CERT-C: E ../cert-c/source/certobj.c(1295) : Error #72ah

CERT-C: E ../cert-c/source/certobj.c(719) : Error #72ah

CRYPTO_PKI: can not set ca cert object (0x72a)CERT_API: Close session 0x407546a7 synchronously

the log shows:

%ASA-vpn-3-713109: IP = 109.43.0.100, Unable to process the received peer certificate

%ASA-vpn-3-713048: IP = 109.43.0.100, Error processing payload: Payload ID: 6

the certificates should be used for IPSEC-VPN-connection on IPhones.

for a test I tried to import the cert on a Windows-Machine to the Cisco IPSEC-Client, which failed with "Error39: Import failed"

any idea's???

Thank you