Guest

Preview Tool

Cisco Bug: CSCvw03628 - ASA will not import CA certificate with name constraint of RFC822Name set as empty

Last Modified

Oct 09, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.14(1) 9.8(4.20)

Description (partial)

Symptom:
ASA is unable to import a certificate with the RFC822Name set to blank. Tested on FPR2130 running 9.8.4(20) and a ASAv and ASA 5506 running 9.14.1

Conditions:
Device running ASA code will not import a certificate with a Name Constraint of RFC822Name set to be an empty string. 

Examples:

In certificate
 Excluded
     [1]Subtrees (0..Max):
          RFC822 Name=
   

In XCA:
  excluded;email:,

XCA shows validation errors when trying to replicate the certificate:
   error:2206D06D:X509 V3 routines:X509V3_parse_list:invalid null value 
   error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string 
   error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.