Problems with Local CA Server on ASA 5510

Dirk Feldhaus · ‎11-20-2011

Hello,

I have a problem with the Local CA Server on an ASA5510, 8.2(1)11.

The Local CA Server creates user certificate that are used for client VPN authentication.

Now the expiry date for the root CA is coming up and the Rollover certificates has been created automatically.

New user enrollment and user authentication is working.

The CA certificate is configured with a lifetime of 1 days for testing.

But after a reboot the Local CA Server fails to start, here are the messages:

Before the reboot:

ASA54510# sh cryp ca server

Certificate Server LOCAL-CA-SERVER:
    Status: enabled
    State: enabled
    Server's configuration is locked (enter "shutdown" to unlock it)
    Issuer name: CN=ASA54510
    CA certificate fingerprint/thumbprint: (MD5)
        3b392567 17eeeb6f 5913145c 3da29098
    CA certificate fingerprint/thumbprint: (SHA1)
        96173fa7 514811bb dd12ff41 b393ca84 929390bd
    Last certificate issued serial number: 0x3
    CA certificate expiration timer: 21:15:36 CEST Nov 20 2011
    CRL NextUpdate timer: 15:14:37 CEST Nov 20 2011
    Current primary storage dir: flash:/LOCAL-CA-SERVER/

    Rollover status: available for rollover
    Rollover CA certificate fingerprint/thumbprint: (MD5)
        d8a91164 c36d57ff de74a2ba 01c35cf6
    Rollover CA certificate fingerprint/thumbprint: (SHA1)
        e0c1f49b c27437e5 e6e1c01e 49d5dc20 7fa5dbf2
    Rollover CA certificate expiration time: 21:15:36 CEST Nov 21 2011
    Auto-Rollover configured, overlap period 30 days
ASA54510#

After the Reboot, time of boot is 11:01:00 Nov 20 2011, so before expiration of CA certificate

ASA54510# sh crypto ca server

Certificate Server LOCAL-CA-SERVER:
    Status: disabled, Failed to validate selfsigned CA certificate
    State: initial
    Server's configuration is unlocked (enter "no shutdown" to lock it)
    Issuer name: CN=ASA54510
    CA certificate fingerprint/thumbprint: (MD5)
        d8a91164 c36d57ff de74a2ba 01c35cf6
    CA certificate fingerprint/thumbprint: (SHA1)
        e0c1f49b c27437e5 e6e1c01e 49d5dc20 7fa5dbf2

    Last certificate issued serial number: 0x0
    CA certificate expiration timer: 01:00:00 CEST Jan 1 1970
    CRL not present.
    Current primary storage dir: flash:/LOCAL-CA-SERVER/

Auto-Rollover configured, overlap period 30 days
ASA54510#

User enrollment is not working anymore, user authentication is still working.

The CA certificates fingerprints in the second output matches the rollover certificate's from the first output, but the expiration time does not match.

I hope somebody can explain how this is happening and what to do to avoid that.

Thanks

Dirk

BERNHARD FABRICIUS · ‎05-11-2012

I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.

This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.

OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.

So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)

I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.

Cheers

Bernhard