Preview Tool

Cisco Bug: CSCus78450 - ASA cert validation fails when suitable TP is above the resident CA cert

Last Modified

Mar 05, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)

When a client tries to authenticate by sending the cert chain, in this case Client-ID and Sub-CA certificate, because the Sub-CA TP has "no validation-usage" configured, ASA picks up Root-CA TP to validate the certificate chain.

When such a condition occurs, where the validating trustpoint is higher in the hierarchy compared to the highest CA certificate [sent by the client in the certificate chain] resident on the ASA. 

ASA running on a version that contains the fix for  CSCuq53421 such as 9.1(5)15, 9.3(2), 9.4(1).
Also, the client certificate is issued at least by a first level Sub-ordinate CA. i.e the client certificate hierarchy should be at least 3 levels:
Root -- Sub --- Client-ID

ASA is configured to authenticate clients using their ID certificate.

ASA would have Sub and Root CA loaded.
ASA should end up picking Root CA TP in order to validate the client cert chain.
For example:
the Sub-CA TP could have "no validation-usage" configured

Related Community Discussions

Anyconnect Certificate Validation Failure after upgrade to 9.3.x/9.4
Hi all, I've got an ASA5512-X, running 9.1.2, configured as a remote access VPN. I've configured it for aaa and certificate based authentication (Windows 2012 Certificate Server and radius authentication), using SCEP for trustpoint enrollment and OCSP for revocation checking as per this guide The remote clients are Linux Debian OS using Anyconnect Client version 4.0.00061. The ...
Latest activity: Jun 19, 2015
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.