Problem with certificate based authentication using external CA

zoltan.banai · ‎09-05-2013

I'm setting up webvpn with certificate based authentication.

The authentication works fine when the internal ASA CA server is used as a trustpoint.

However when adding an external CA cert as a trustpoint and using the coresponding client certs for authentication it fails with the following debug message (full debul log attached):

CRYPTO_PKI: Found a suitable authenticated trustpoint ASA Self_Root.

CRYPTO_PKI(make trustedCerts list)

CERT-C: I pkixpath.c(1147) : Error #72eh

CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2

CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Failed, status: 1838. Attempting to retrieve revocation status if necessary

CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1838

CRYPTO_PKI: PKI Verify Certificate error. No trust point found.

revocation-check none and ignore-ssl-keyusage are set to make sure those are not causing further problems during debuging.

Can someone help determing the reason for the cert not being accepted.

Thanks,

Impellent · ‎02-03-2014

Zoltan,

I have this exact same problem. Did you ever find a resolution?

-Adrian Wilson

Impellent · ‎02-16-2014

For the benefit of anyone finding this, in my case this problem was resolved by reimporting my internal CA's Cert into the ASA.

I suspect I had inadvertently imported an expired CA Cert into the ASA and this rather un-informative error 1838 is trying to tell you this.