Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
5
Helpful
1
Replies

S2S VPN using MS CA certificates not working

dpbpc1962
Level 1
Level 1

‎12-13-2012 08:57 AM

Good day

I have install a W2K3 server with CA and created identity certificates for the two ASA 5505's, the certificate I created were using the IPEC intermediate offline template.... and I get the error of

"Certificate Chain invalid or not authorized"  in the logs

I did a CLI debug of the CA and the error is the same, but has futher error of

"Enhance Key Usage = NOT acceptable... I doesn't like the IPEC Intermediate Offline OID.

Does anyone have an up to date example of S2S VPN for ASA 8.4x/ASDM 6.4x using MS CA certificates? for I'm using the example from link below

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

This is out of date by at least three years

Thanks

Dana Burton

Labels:
0 Helpful
1 Reply 1

dpbpc1962
Level 1
Level 1

‎12-18-2012 08:10 AM

Figured it out using

debug crypto ca 255

I turns out it is the OID of the MS CA certificate temple being used

the OID it needs is

IPSEC tunnel endpoint - 1.3.6.1.5.5.7.3.6

So I added this OID to the IPSEC Offline template using ADSIedit.msc on the MS CA server.

The newly add OID worked fine and the Identity certificate authenticated with now errors and S2S came up.

Dana Burton

Customers Also Viewed These Support Documents