3 Replies Latest reply: Dec 10, 2012 5:50 AM by heikis RSS

    Anyconnect VPN- Client certificate validation failure, ASA.


      I have remote VPN set up on ASA 5505 9.0(1), device manager 7.0.(2).

      Client authentication is set up on certificates only, smart card based.

      The ASA has been installed both the root CA and intermediate CA certificates. Client cert, interme cert and root cert are all in chain.

      However dialing the VPN a client gets an error on Anyconnect: Certificate Validation Failure.


      ASDM validates the intermediate CA cert, but fails at validating the client cert:

      PIC http://www.upload.ee/image/2886875/asdmlogfail.gif

      Note that where the error occurs- on a successful authentication, instead of the error there would be a record about the Clients certificate's credentials (when not authenticating with a smart card).


      Looking at the ASA debugging everything goes smooth until a weird error pops:


      CRYPTO_PKI(make trustedCerts list)

      CRYPTO_PKI: Found suitable tpCRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID =

      CRYPTO_PKI:check_key_usage:Key Usage check OK


      CRYPTO_PKI: Certificate validation: Failed, status: 1823CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1823

      CRYPTO_PKI: PKI Verify Certificate error. No trust point found.


      CRYPTO_PKI: Storage context released by thread CERT API


      CRYPTO_PKI: Certificate not validated


      CRYPTO_PKI: Invalid cert.


      error 1823 doesnt take me anywhere on google. CRL checking is disabled, all certs are valid. If you need to see a full log then i can give it.