Guest

Preview Tool

Cisco Bug: CSCus78450 - ASA cert validation fails when suitable TP is above the resident CA cert

Last Modified

Jul 14, 2017

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(5.16)

Description (partial)

Symptom:
When a client tries to authenticate by sending the cert chain, in this case Client-ID and Sub-CA certificate, because the Sub-CA TP has "no validation-usage" configured, ASA picks up Root-CA TP to validate the certificate chain.

When such a condition occurs, where the validating trustpoint is higher in the hierarchy compared to the highest CA certificate [sent by the client in the certificate chain] resident on the ASA. 

Conditions:
ASA running on a version that contains the fix for  CSCuq53421 such as 9.1(5)15, 9.3(2), 9.4(1).
Also, the client certificate is issued at least by a first level Sub-ordinate CA. i.e the client certificate hierarchy should be at least 3 levels:
Root -- Sub --- Client-ID

ASA is configured to authenticate clients using their ID certificate.

ASA would have Sub and Root CA loaded.
ASA should end up picking Root CA TP in order to validate the client cert chain.
 
For example:
the Sub-CA TP could have "no validation-usage" configured
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.