Hi,
I have a problem getting correct chain verification I think while using a Thawte SSL123 certificate on an ASA 5520 running AnyConnect SSL VPN. I noticed when both using the client as well as when using AnyConnect mobile that a security error results, forcing the user to accept before connecting.
Thawte issues the 123 series certs with both a first intermediate and second intermediate cert for the entire chain. I think I may have missed one of these in my installation of the certs onto the ASA, but I'm unsure if I can just add another CA cert on that same trustpoint, or what I need to do. Specifically, help for fixing the issue, and/or how to handle multiple intermediate certs for a chain issued ssl cert on an ASA.
A copy of my show crypto ca cert is below, names changed to protect the innocent:
CA Certificate
Status: Available
Certificate Serial Number: 7610128a17b682bb3a1f9d1a9a35c092
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=thawte Primary Root CA
ou=(c) 2006 thawte\, Inc. - For authorized use only
ou=Certification Services Division
o=thawte\, Inc.
c=US
Subject Name:
cn=Thawte DV SSL CA
ou=Domain Validated SSL
o=Thawte\, Inc.
c=US
OCSP AIA:
URL: http://ocsp.thawte.com
CRL Distribution Points:
[1] http://crl.thawte.com/ThawtePCA.crl
Validity Date:
start date: 19:00:00 EST Feb 17 2010
end date: 18:59:59 EST Feb 17 2020
Associated Trustpoints: mysite.mycompany.com.trustpoint
Certificate
Status: Available
Certificate Serial Number: 17f7b3d30f075a368aefbdbc410d291d
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=Thawte DV SSL CA
ou=Domain Validated SSL
o=Thawte\, Inc.
c=US
Subject Name:
cn=vpn-na.doosan.com
ou=Domain Validated
ou=Thawte SSL123 certificate
ou=Go to https://www.thawte.com/repository/index.html
o=vpn-na.doosan.com
OCSP AIA:
URL: http://ocsp.thawte.com
CRL Distribution Points:
[1] http://svr-dv-crl.thawte.com/ThawteDV.crl
Validity Date:
start date: 20:00:00 EDT May 14 2012
end date: 19:59:59 EDT May 14 2016
Associated Trustpoints: mysite.mycompany.com.trustpoint