cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3133
Views
0
Helpful
7
Replies

Issue with Thawte SSL123 Certificate intermediate chain

kpruett
Level 1
Level 1

Hi,

I have a problem getting correct chain verification I think while using a Thawte SSL123 certificate on an ASA 5520 running AnyConnect SSL VPN. I noticed when both using the client as well as when using AnyConnect mobile that a security error results, forcing the user to accept before connecting.

Thawte issues the 123 series certs with both a first intermediate and second intermediate cert for the entire chain. I think I may have missed one of these in my installation of the certs onto the ASA, but I'm unsure if I can just add another CA cert on that same trustpoint, or what I need to do. Specifically, help for fixing the issue, and/or how to handle multiple intermediate certs for a chain issued ssl cert on an ASA.

A copy of my show crypto ca cert is below, names changed to protect the innocent:

CA Certificate

  Status: Available

  Certificate Serial Number: 7610128a17b682bb3a1f9d1a9a35c092

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    cn=thawte Primary Root CA

    ou=(c) 2006 thawte\, Inc. - For authorized use only

    ou=Certification Services Division

    o=thawte\, Inc.

    c=US

  Subject Name:

    cn=Thawte DV SSL CA

    ou=Domain Validated SSL

    o=Thawte\, Inc.

    c=US

  OCSP AIA:

    URL: http://ocsp.thawte.com

  CRL Distribution Points:

    [1]  http://crl.thawte.com/ThawtePCA.crl

  Validity Date:

    start date: 19:00:00 EST Feb 17 2010

    end   date: 18:59:59 EST Feb 17 2020

  Associated Trustpoints: mysite.mycompany.com.trustpoint

Certificate

  Status: Available

  Certificate Serial Number: 17f7b3d30f075a368aefbdbc410d291d

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    cn=Thawte DV SSL CA

    ou=Domain Validated SSL

    o=Thawte\, Inc.

    c=US

  Subject Name:

    cn=vpn-na.doosan.com

    ou=Domain Validated

    ou=Thawte SSL123 certificate

    ou=Go to https://www.thawte.com/repository/index.html

    o=vpn-na.doosan.com

  OCSP AIA:

    URL: http://ocsp.thawte.com

  CRL Distribution Points:

    [1]  http://svr-dv-crl.thawte.com/ThawteDV.crl

  Validity Date:

    start date: 20:00:00 EDT May 14 2012

    end   date: 19:59:59 EDT May 14 2016

  Associated Trustpoints: mysite.mycompany.com.trustpoint

7 Replies 7

Andrew Phirsov
Level 7
Level 7
but I'm unsure if I can just add another CA cert on that same  trustpoint, or what I need to do. Specifically, help for fixing the  issue, and/or how to handle multiple intermediate certs for a chain  issued ssl cert on an ASA.

What i usually do, and it works fine with ASA, is i authenticate trustpoint with a certificate of a the last CA in a chain, i.e. certificate of the CA wich directly issued the client certificate. As it turned out, ASA doesn't chek whole certificate chain.