09-05-2013 03:05 AM
I'm setting up webvpn with certificate based authentication.
The authentication works fine when the internal ASA CA server is used as a trustpoint.
However when adding an external CA cert as a trustpoint and using the coresponding client certs for authentication it fails with the following debug message (full debul log attached):
CRYPTO_PKI: Found a suitable authenticated trustpoint ASA Self_Root.
CRYPTO_PKI(make trustedCerts list)
CERT-C: I pkixpath.c(1147) : Error #72eh
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Failed, status: 1838. Attempting to retrieve revocation status if necessary
CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1838
CRYPTO_PKI: PKI Verify Certificate error. No trust point found.
revocation-check none and ignore-ssl-keyusage are set to make sure those are not causing further problems during debuging.
Can someone help determing the reason for the cert not being accepted.
Thanks,
02-03-2014 02:24 AM
Zoltan,
I have this exact same problem. Did you ever find a resolution?
-Adrian Wilson
02-16-2014 08:48 PM
For the benefit of anyone finding this, in my case this problem was resolved by reimporting my internal CA's Cert into the ASA.
I suspect I had inadvertently imported an expired CA Cert into the ASA and this rather un-informative error 1838 is trying to tell you this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide