cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1384
Views
0
Helpful
0
Replies

Cisco VPN Client Certificate Importing as RA/Intermediate Certificate

Jonathan Holt
Level 1
Level 1

Hi Guys

Wondering if anyone has come across this issue before. We have had to move an MS CA (Enterprise Root, Windows Server 2008) to a different server, but have kept the same root certificate and CA name. 

We have a Cisco Easy VPN terminating on an ASA 5510 using client certificates and LDAP credentials to authenticate users. All users with existing, valid certificates work fine, and can access the VPN.

However, when we generate a new client certificate, the Cisco Easy VPN Client imports its the "RA" store rather than the "Cisco" store, which means I cannot use it for the VPN. Furthermore, if I put the certificate inside of the Personal store on my user account, it shows up in the Cisco client but does not pass authentication and fails.

On the other hand, the CA certificate is imported into the client without any hassles.

I am convinced that this is to do with the Microsoft CA and the way that it is issuing certificates - Has anyone seen this before, and if so, what did you do to resolve it? Has anyone created their own MS certificate templates for Ciscos VPN Client, or does the certificate have to meet a certain criteria before it gets imported into the correct store - ie. how does the VPN client know which store to put it in?

In the logs on the client, you can see:

74     19:42:36.270  05/13/14  Sev=Info/4 CERT/0x63600002
Importing Certificate(s) from a Base64 encoded X.509 file.
75     19:42:36.290  05/13/14  Sev=Info/4 CERT/0x63600004
Importing certificate with name XXXX, and serial num YYYY, to the Intermediate CA / RA store.
 

Any contributions much appreciated.

Many Thanks

Jonathan

0 Replies 0