This content has been marked as final. Show 3 replies
I have remote VPN set up on ASA 5505 9.0(1), device manager 7.0.(2).
Client authentication is set up on certificates only, smart card based.
The ASA has been installed both the root CA and intermediate CA certificates. Client cert, interme cert and root cert are all in chain.
However dialing the VPN a client gets an error on Anyconnect: Certificate Validation Failure.
ASDM validates the intermediate CA cert, but fails at validating the client cert:
Note that where the error occurs- on a successful authentication, instead of the error there would be a record about the Clients certificate's credentials (when not authenticating with a smart card).
Looking at the ASA debugging everything goes smooth until a weird error pops:
CRYPTO_PKI(make trustedCerts list)
CRYPTO_PKI: Found suitable tpCRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 220.127.116.11.18.104.22.168.2
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Failed, status: 1823CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1823
CRYPTO_PKI: PKI Verify Certificate error. No trust point found.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate not validated
CRYPTO_PKI: Invalid cert.
error 1823 doesnt take me anywhere on google. CRL checking is disabled, all certs are valid. If you need to see a full log then i can give it.