cisco anyconnect client certificate authentication does not require root and subCA to be installed o...

john.ebrahim83 · ‎11-19-2013

hi every one,

i have anyconnect with certificate based authentication. i can see if i remove root and subCA from client certificate store in windows7. i can see that with only client certificate user gets access.

however i have configured it for CRL check as well and CRL only checks the user certificate not the whole chain.

i have ROOT CA and SUBCA installed on cisco asa.

is this safe that it should only check client certificate for revocation not the whole cert chain?

can it be configured to check the whole certificate chain from client side instead of only client cert. ?

Marcin Latosiewicz · ‎11-19-2013

John,

Reference the RFC for TLS (in this case 1.0)

http://www.ietf.org/rfc/rfc2246.txt

Server send certificate_list and certificate request, containing certificate_authorities, which is the key info here.

when client responds it can send a certificate

 Client certificates are sent
       using the Certificate structure defined in Section 7.4.2.

same section describing server certificate.

Server sends its certificate, certificate_list and list of acceptable signers of certificates it will accept (certificate_authorities), client responds with a (one) corresponding cert and certificate_list.

If server has client's signer certificate I do not believe it needed a whole chain sent.

Client still needs to send certificate list but can ommit signing root.

About CRL, you authenticate root and subCA, i.e. implicitly trust.

AFAIR you only perform revocation check of certs you do not implicitly trust.

(My PKI is a bit rusty, feel free to challange)

HTH,

M.

Message was edited by: Marcin Latosiewicz, re-read parts of RFC and adapted my answer.

cisco anyconnect client certificate authentication does not require root and subCA to be installed on client side for authentication ?