Here are some easy-to-follow methods that can help you fix debug authentication as a certificate issue.
Recommended: ASR Pro
I’m trying to generate certificates using the ciscoanywhere ASA and . When I try to connect, CiscoAnywhere aborts with a “Certificate Verification Failed” error, but the CLI output still shows “debug crypto ca 255″ works fine for me.
fw-ext/pri/act# CERT_API: Successfully opened PKI session 0x0a961e13 running with SSL typeCERT_API: Encounter 0x0a961e13, authentication, non-blocking cb=0x00007f48280e3240CERT API thread is waking up!CERT_API: msg cmd=0, session= 0x0a961e13CERT_API: asynchronous lock for session 0x0a961e13
CRYPTO_PKI: Checking for an identical certificate
in my database…
CRYPTO_PKI: conformance certificate in handle=0x00007f4805690d30, digest=
ff eighty-three 96 19 8d 33 b0 forty-three aa b3 64 98 96 double a 78 69 | …..3.C..d…xi
CRYPTO_PKI: Certificate not found in database.CRYPTO_PKI: Search for suitable trust points for SSL connection type CRYPTO_PKI: matched tp: Face=”courier asdm_trustpoint-internal-caCRYPTO_PKI: contextMemory Locked by Stream Certification API .220.127.116.11.1Face= “courier CRYPTO_PKI found: check_key_usage:ExtendedKeyUsage OID=18.104.22.168.22.214.171.124.1, NOT AcceptableFace=”Kurier CRYPTO_PKI:check_key_usage: ExtendedKeyUsageOID=126.96.36.199. 188.8.131.52.2CRYPTO_PKI:check_key_usage:Check key usage OK
CRYPTO_PKI: Avoid revocation checks based on hedging plan configurationCRYPTO_PKI: Certificate face=”courier validated. Serial number: 50A765EB000000004FA5, Name: Object cn=MYUSER-EXT-PC.ENV.global.
CRYPTO_PKI: certificate validated without revocation checkCERT_API: calling user callback=0x00007f48280e3240 with status=0(success) CERT_API: close session 0x0a961e13 asynchronouslyCERT_API: enabled for workbench 0x0a961e13CERT_API: process message cmd=1 , session=0x0a961e13CERT_API: locked for activity 0x0a961e13CERT_API: unlocked for activity session 0x0a961e13 CERT API carefully sleeping!
In this articleThis does not address the surprising root cause of getting the AnyConnect certificate validation error. I was dealing with setting up a Cisco AnyConnect Management Tunnel, which I will cover in a link to another article, and for some reason, when I tried to create an AnyConnect SSL VPN from a Windows client, it failed, with a Certificate Validation Error message hanging on the screen. .
I thought there was a problem with the client certificate, otherwise the trust point on some configured ASAs might authenticate to authorize them to AnyConnect clients. When checking on the client side, everything looked fine, the user and computer certificates were also successfully permanently installed, and the main publisher CA certificate was in the genuine store.
Also, from the ASA’s point of view, the ASA’s identity certificate looked incredibly good, as did the trust layer responsible for authenticating all clients. This trust point is released by OCSP configured for revocation checking. OCSP is a Windows device. I also checked the OCSP setting on the windows server and most of them looked and worked finealo.
I enabled Debug Crypto ca 7 on the ASA and tried to permanently repair the VPN tunnel, which found debug errors. Here is a snippet of the debug output:
OCSP service announcements
The Microsoft OCSP implementation is certified to RFC 5019 Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments, Simplified RFC 2560 X.509 Reute Internet Public Key Infrastructure Online Certificate Protocol – OCSP.
The ASA RFC uses 2560 for OCSP. One difference between the two RFCs is that RFC a 5019 does not accept signed jobs submitted by the ASA.
Possibly – force the Microsoft OCSP service to accept these signed requests and publish them with a properly signed response.
So you’re clearly saying that Windows servers use the ASA and use two different RFCs, even though it’s OCSP. They apply one of two fixes to positively resolve this issue. One is related to the configuration of the OCSP responder, typically on a Windows server, and the other is related to the dov Accept ASA points compiled to authenticate AnyConnect clients. However, Cisco does not recommend this fix for the ASA.