Guest

Preview Tool

Cisco Bug: CSCuj04699 - ASA WebVPN: Java Signer Certificate chain is incomplete with >3 CA Certs

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.2(5.41) 9.1(6)

Description (partial)

Symptom:
When the SSLVPN client accesses the Java plugins, ASA signs the plugin using the Java Signer Certificate, however the Certificate chain sent by the ASA does not include the entire chain. As per the standards, ASA should at least send Intermediate CA-1 + Intermediate CA-2 + Java Signer Certificate

Instead we see the following chain:
Intermediate CA-2 + Java Signer Certificate

On PCs which have only Root-CA certificate installed in the Java Signer Store or OS Certificate store, Java flags the publisher as UNKNOWN

Conditions:
ASA is acting as SSLVPN Server with Java Trust-point configured to sign the Java plugins with a valid 3rd party Signer Certificate. And the Java signer certificate is issued by an Intermediate CA, which has two or more issuers in the hierarchy. In other words, we have:
Root -- Intermediate CA-1 -- Intermediate CA-2 -- Java Signer Certificate

Related Community Discussions

<key>CSCuj04699</key> - ASA fails to present long certificate chain for java applets
Hi all, Am I seeing this correctly that still no certificate that has an intermediate CA in their certification chain will work. Not even if we go to the latest software? C'mon guys, for a security appliance that's pretty slim and not &quot;minor&quot; at all! This Cisco WebVPN stuff is really messed up. Bye, Marki
Latest activity: Dec 14, 2014
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.