How To Handle Debug Like Certificate Authentication?

Here are some easy-to-follow methods that can help you fix debug authentication as a certificate issue.

Recommended: ASR Pro

  • Step 1: Download and install ASR Pro
  • Step 2: Launch the program and select the system you want to scan
  • Step 3: Click on the Scan button and wait for the process to finish
  • Speed up your computer today by downloading the software here.

    I’m trying to generate certificates using the ciscoanywhere ASA and . When I try to connect, CiscoAnywhere aborts with a “Certificate Verification Failed” error, but the CLI output still shows “debug crypto ca 255″ works fine for me.

    fw-ext/pri/act# CERT_API: Successfully opened PKI session 0x0a961e13 running with SSL typeCERT_API: Encounter 0x0a961e13, authentication, non-blocking cb=0x00007f48280e3240CERT API thread is waking up!CERT_API: msg cmd=0, session= 0x0a961e13CERT_API: asynchronous lock for session 0x0a961e13

    CRYPTO_PKI: Checking for an identical certificate
    in my database…

    CRYPTO_PKI: conformance certificate in handle=0x00007f4805690d30, digest=
    ff eighty-three 96 19 8d 33 b0 forty-three aa b3 64 98 96 double a 78 69 | …..3.C..d…xi

    CRYPTO_PKI: Certificate not found in database.CRYPTO_PKI: Search for suitable trust points for SSL connection type CRYPTO_PKI: matched tp: Face=”courier asdm_trustpoint-internal-caCRYPTO_PKI: contextMemory Locked by Stream Certification API . “courier CRYPTO_PKI found: check_key_usage:ExtendedKeyUsage OID=, NOT AcceptableFace=”Kurier CRYPTO_PKI:check_key_usage: ExtendedKeyUsageOID= key usage OK

    debug asa certificate authentication

    CRYPTO_PKI: Avoid revocation checks based on hedging plan configurationCRYPTO_PKI: Certificate face=”courier validated. Serial number: 50A765EB000000004FA5, Name: Object

    CRYPTO_PKI: certificate validated without revocation checkCERT_API: calling user callback=0x00007f48280e3240 with status=0(success) CERT_API: close session 0x0a961e13 asynchronouslyCERT_API: enabled for workbench 0x0a961e13CERT_API: process message cmd=1 , session=0x0a961e13CERT_API: locked for activity 0x0a961e13CERT_API: unlocked for activity session 0x0a961e13 CERT API carefully sleeping!

    In this articleThis does not address the surprising root cause of getting the AnyConnect certificate validation error. I was dealing with setting up a Cisco AnyConnect Management Tunnel, which I will cover in a link to another article, and for some reason, when I tried to create an AnyConnect SSL VPN from a Windows client, it failed, with a Certificate Validation Error message hanging on the screen. .

    I thought there was a problem with the client certificate, otherwise the trust point on some configured ASAs might authenticate to authorize them to AnyConnect clients. When checking on the client side, everything looked fine, the user and computer certificates were also successfully permanently installed, and the main publisher CA certificate was in the genuine store.

    Also, from the ASA’s point of view, the ASA’s identity certificate looked incredibly good, as did the trust layer responsible for authenticating all clients. This trust point is released by OCSP configured for revocation checking. OCSP is a Windows device. I also checked the OCSP setting on the windows server and most of them looked and worked finealo.

    debug asa certificate authentication

    I enabled Debug Crypto ca 7 on the ASA and tried to permanently repair the VPN tunnel, which found debug errors. Here is a snippet of the debug output:

    Recommended: ASR Pro

    ASR Pro is a revolutionary piece of software that helps you fix a variety of Windows problems with just the click of a button. It's easy to use, and it can help you get your computer back up and running in no time. So don't suffer from Windows problems any longer - ASR Pro can help!

  • Step 1: Download and install ASR Pro
  • Step 2: Launch the program and select the system you want to scan
  • Step 3: Click on the Scan button and wait for the process to finish

  • PKI[7]: pending pause status for drives 0x14981ed1 and 0, cert_idx rev_status 6PKI[7]: Chain lock status: Good: 0, Issued: 7, Cached: 0, Withdrawn: 0, Error: 8, Pending: 1PKI[7]: session lock history evaluation, 1 certificate to verifyPKI[7]: start OCSP FSM #0CRYPTO_PKI: Attempt to find OCSP replacement for peer certificate: handle Serial number: , subject name: CN=test1,CN=Users,DC=mylab,DC=local, subject sender name: CN=WIN-2K12-01 -CA ,DC=mylab,DC=local.CRYPTO_PKI: OCSP replacement not found.PKI[4]: No AIA for OCSP revocation check, certificate entry 0PKI[7]: OCSP revocation list aia created for certificate index 0 with 6 AIA, error FALSEPKI[4]: more AIAs to testPKI[7]: queued revocation popularity for session 0x14981ed1 and cert_idx 5, rev_status 6PKI[7]: Chain lock status: Strong: 0, Issued: 0, Cached: 0, Stopped: 0, Error: 0, Pending: 1PKI[7]: session lock state evaluation, 1 certificate that can be verified.PKI[7]: Chain lock status: Good: 6, Issued: 0, Cached: 0, Withdrawn: 1, Error: 1, Pending: 0PKI[7]: session: 0x14981ed1, multiple revocation completedPKI[5]: session: 0x14981ed1, credential revocation check output 0PKI[5]: session 0x14981ed1 encountered revocation check errors or revoked certificates

    OCSP service announcements

    The Microsoft OCSP implementation is certified to RFC 5019 Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments, Simplified RFC 2560 X.509 Reute Internet Public Key Infrastructure Online Certificate Protocol – OCSP.

    The ASA RFC uses 2560 for OCSP. One difference between the two RFCs is that RFC a 5019 does not accept signed jobs submitted by the ASA.

    Possibly – force the Microsoft OCSP service to accept these signed requests and publish them with a properly signed response.

    So you’re clearly saying that Windows servers use the ASA and use two different RFCs, even though it’s OCSP. They apply one of two fixes to positively resolve this issue. One is related to the configuration of the OCSP responder, typically on a Windows server, and the other is related to the dov Accept ASA points compiled to authenticate AnyConnect clients. However, Cisco does not recommend this fix for the ASA.

    Option 1: Fix On A Windows OCSP Server

    Go To Online Management Tools > Responder Management > Revocation Configuration And Check The Box Next To To Help Enable Support For The NONCE Extension.

    Speed up your computer today by downloading the software here.