Re: Cisco ASA Certificate validation failure

Orcenel · ‎04-01-2021

Hello,

We're currently switching our old VPNs that are using AAA local authentication to a certificate one.

First the project was supposed to use the local CA server from the ASA so far no problem i could login in using the user database with certificate. Except that we decided to use a newly made PKI to manage the certificate instead.

So i disabled the local CA server, added both the Root CA and intermediate CA in the CA certificate tab.

(Note that we are using an identity certificate issued from a company)

Once both the crt have been added to the CA tab i added the user's one into the windows workstation (testing purpose)

here are my conf for the anyconnect client

Connection profile :

-certificate only

Client profile:

- certificate store machine

-certificate store override

- unchecked "disable automatic certificate selection"

group policies :

nothing that i could find relevant to vpns

user cert is in the current user / personnal / certificate

Here is the log that i have

From ASDM :

6

Apr 01 2021

14:54:42

Device selects trust-point ASDM_TrustPoint4 for client WAN:x.x.x.x/x to x.x.x.x/443

7

Apr 01 2021

14:54:42

No certificates received during the handshake with client WAN:x.x.x.x/x to x.x.x.x/443 for DTLSv1 session

And the anyconnect one :

15:16:20 No valid certificates available for authentication

I suppose Anyconnect can't get the user certificat leading to an error but the certificate is in the same location as when i was using the local CA server

So it's either the CA server crt or the user crt or both i guess.

Thanks for helping.

Rob Ingram · ‎04-01-2021

@Orcenel

Have you enabled the new trustpoint on the interface? E.g.

ssl trust-point Trustpoint OUTSIDE

Orcenel · ‎04-01-2021

The WAN interface is already used by the company issued certificate so i can't enable

Also i'm having an error

ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again.
ERROR: Trust-point is not enrolled.

all 3 certificates are imported the CA root the CA intermediate and the identity, the WAN is set on trustpoint_1 that have the Identity cert.

And i can't use any other trust point which i think ask me to enroll them

they gave me the root and inter as .crrt do we need to re-generate them as p12 and import in the identity tab ?

Rob Ingram · ‎04-01-2021

@Orcenel Was a certifiate signing request for the identity certficiate initially generated on the ASA?

Orcenel · ‎04-01-2021

The CSR was generated by our PKI and then submitted to gandi once we had the signed one we imported the .p12 as our current identity certificate. So it wasn't generated through our ASA

Now the two CA were generated from the same PKI as the identity one.

Rob Ingram · ‎04-01-2021

@Orcenel ok, does the identity certificate you imported include the private key?

Orcenel · ‎04-01-2021

Hm...

I imported it as a crt file and i just fills up the passphrase.

ASA only require the pem text or the crt file if i remember correctly so i didn't import the private key

Orcenel · ‎04-13-2021

Alright quick update.

I somehow managed to make the ASA contact the CRL tho i'm having a different error which i suspect is in the CRL now.

BatG-FW3# crypto_pki_req(0x00002aaaca324c10, 24, ...)
CRYPTO_PKI: Crypto CA req queue size = 1.
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
Crypto CA thread sleeps!
CRYPTO_PKI: Failed to retrieve CRL for trustpoint: ASDM_TrustPoint2.
  Retrying with next CRL DP...
crypto_pki_req(0x00002aaaca324c10, 24, ...)
CRYPTO_PKI: Crypto CA req queue size = 1.
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened

CRYPTO_PKI: Found suitable tp: ASDM_TrustPoint2
CRYPTO_PKI: Found suitable tp: ASDM_TrustPoint2
CRYPTO_PKI: Failed to create name objects to compare DNs. status = 1795
CRYPTO_PKI(select cert) subject = ou=Revenue Collection Systems,o=Thales,c=FR,st=IDF,cn=RCS-InterCA-VPN
CRYPTO_PKI: status = 1872: failed to verify CRL signature
Crypto CA thread sleeps!
CRYPTO_PKI: Failed to retrieve CRL for trustpoint: ASDM_TrustPoint2.
  Retrying with next CRL DP...

I read on different threads that it's because i imported the inter-CA as a PEM file using openssl and instead i should convert to DER and import it via this format.