04-01-2021 06:27 AM
Hello,
We're currently switching our old VPNs that are using AAA local authentication to a certificate one.
First the project was supposed to use the local CA server from the ASA so far no problem i could login in using the user database with certificate. Except that we decided to use a newly made PKI to manage the certificate instead.
So i disabled the local CA server, added both the Root CA and intermediate CA in the CA certificate tab.
(Note that we are using an identity certificate issued from a company)
Once both the crt have been added to the CA tab i added the user's one into the windows workstation (testing purpose)
here are my conf for the anyconnect client
Connection profile :
-certificate only
Client profile:
- certificate store machine
-certificate store override
- unchecked "disable automatic certificate selection"
group policies :
nothing that i could find relevant to vpns
user cert is in the current user / personnal / certificate
Here is the log that i have
From ASDM :
6 | Apr 01 2021 | 14:54:42 | Device selects trust-point ASDM_TrustPoint4 for client WAN:x.x.x.x/x to x.x.x.x/443 |
7 | Apr 01 2021 | 14:54:42 | No certificates received during the handshake with client WAN:x.x.x.x/x to x.x.x.x/443 for DTLSv1 session |
And the anyconnect one :
15:16:20 No valid certificates available for authentication
I suppose Anyconnect can't get the user certificat leading to an error but the certificate is in the same location as when i was using the local CA server
So it's either the CA server crt or the user crt or both i guess.
Thanks for helping.
04-01-2021 06:45 AM
Have you enabled the new trustpoint on the interface? E.g.
ssl trust-point Trustpoint OUTSIDE
04-01-2021 07:40 AM
The WAN interface is already used by the company issued certificate so i can't enable
Also i'm having an error
ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again.
ERROR: Trust-point is not enrolled.
all 3 certificates are imported the CA root the CA intermediate and the identity, the WAN is set on trustpoint_1 that have the Identity cert.
And i can't use any other trust point which i think ask me to enroll them
they gave me the root and inter as .crrt do we need to re-generate them as p12 and import in the identity tab ?
04-01-2021 07:50 AM
@Orcenel Was a certifiate signing request for the identity certficiate initially generated on the ASA?
04-01-2021 08:01 AM
The CSR was generated by our PKI and then submitted to gandi once we had the signed one we imported the .p12 as our current identity certificate. So it wasn't generated through our ASA
Now the two CA were generated from the same PKI as the identity one.
04-01-2021 08:11 AM - edited 04-01-2021 09:13 AM
@Orcenel ok, does the identity certificate you imported include the private key?
04-01-2021 12:32 PM
Hm...
I imported it as a crt file and i just fills up the passphrase.
ASA only require the pem text or the crt file if i remember correctly so i didn't import the private key
04-13-2021 07:13 AM
Alright quick update.
I somehow managed to make the ASA contact the CRL tho i'm having a different error which i suspect is in the CRL now.
BatG-FW3# crypto_pki_req(0x00002aaaca324c10, 24, ...) CRYPTO_PKI: Crypto CA req queue size = 1. Crypto CA thread wakes up! CRYPTO_PKI: http connection opened Crypto CA thread sleeps! CRYPTO_PKI: Failed to retrieve CRL for trustpoint: ASDM_TrustPoint2. Retrying with next CRL DP... crypto_pki_req(0x00002aaaca324c10, 24, ...) CRYPTO_PKI: Crypto CA req queue size = 1. Crypto CA thread wakes up! CRYPTO_PKI: http connection opened CRYPTO_PKI: Found suitable tp: ASDM_TrustPoint2 CRYPTO_PKI: Found suitable tp: ASDM_TrustPoint2 CRYPTO_PKI: Failed to create name objects to compare DNs. status = 1795 CRYPTO_PKI(select cert) subject = ou=Revenue Collection Systems,o=Thales,c=FR,st=IDF,cn=RCS-InterCA-VPN CRYPTO_PKI: status = 1872: failed to verify CRL signature Crypto CA thread sleeps! CRYPTO_PKI: Failed to retrieve CRL for trustpoint: ASDM_TrustPoint2. Retrying with next CRL DP...
I read on different threads that it's because i imported the inter-CA as a PEM file using openssl and instead i should convert to DER and import it via this format.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide