I am trying to connect an IPSec VPN client using a certificate.
Im am getting the following errors:
Failed to RSA sign the hash for IKE phase 1 negotiation using my certificate.
Failed to generate signature: Signature generation failed (SigUtil:97)
Failed to build Signature payload (MsgHandlerMM:489)
Failed to build MM msg5 (NavigatorMM:312)
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)
Marking IKE SA for deletion (I_Cookie=0264360E288A8DE1 R_Cookie=863E6F3B153D2DA8) reason = DEL_REASON_IKE_NEG_FAILED
I've seen this link, but my certificate is lenght 2048, not 4096
Using windows 7, 64 bits, client version 5.0.07.0440
My computer doesn't even send any traffic to ASA trying to connect.
I only get the error when using a certificate assined by a MS CA, when I use an Certificate from ASA internal CA I can connect just fine.
I have seen also somebody who solved this problem importing the certificate from a pkcs12 file with keys. Didn't work for me either.
I imported the root certificate from Microsoft CA to ASA. But I didn't assign it to the vpn profile.
I only assined the "identity certificate" to the profile. Do I need to specify the root certificate too in the profile?
What I ment was:
Did you set up the trustpoint used for the Microsoft CA root certificate on the interface where you are trying to connect to?
You can set this up under Configuration -> Remote Access VPN -> Advanced -> SSL Settings under header certificates.
Assuming that you already have the certificate properly installed on the ASA, could you please check the identity certificate and make sure that it includes the private key? If you do not see it, then you should contact your CA admin.
My certificate have the "yellow warning" on the key usage.
like mentioned here:
Could this be the problem?
Working with TAC we found out the "problem"
The certificate needs to be imported via VPN Client. If you import the certificate via Windows it does not work (Via mmc or double clicking the certificate and choosing install).
This problem was happening only on windows 7 - 64bits. Windows XP was working fine.
If you have the same problem and this was heplfull plz rate.
I'm not sure but it looks like the same issue, but I cannot import the certificate manually. The certificate is being distributed using group policy and we are not allowed to export it with the private key.
Anyone got that solved?