Hello,
I'm working on a cert authentication based for our Anyconnect VPN yet so far i encountered a problem that the few answers i found didn't help me.
I created the trustpoint by the name of VPN and put the PKI url on it.
The inter-CA is added to the Cisco with the PKI url as a DP.
the revocation is set on CRL and no LDAP since we aren't using it for the PKI
This is what happens when i make a CRL request with the CRL as .pem format :
crypto_pki_req(0x00002aaacb6f9e10, 24, ...) CRYPTO_PKI: Crypto CA req queue size = 1. Crypto CA thread wakes up! CRYPTO_PKI: http connection opened Crypto CA thread sleeps! CRYPTO_PKI: Failed to retrieve CRL for trustpoint: VPN. Retrying with next CRL DP... I read somewhere that you need to change the .pem to .der except that it changes just the type of error.
BatG-FW3# crypto_pki_req(0x00002aaacb6f9e10, 24, ...) CRYPTO_PKI: Crypto CA req queue size = 1. Crypto CA thread wakes up! CRYPTO_PKI: http connection opened CRYPTO_PKI: Found suitable tp: VPN CRYPTO_PKI: Failed to create name objects to compare DNs. status = 1795 CRYPTO_PKI(select cert) subject = cn=ThalesRCS Root CA,ou=Revenue Collection Systems,o=Thales,l=Bretigny,st=IDF,c=FR CRYPTO_PKI: status = 1872: failed to verify CRL signature Crypto CA thread sleeps! CRYPTO_PKI: Failed to retrieve CRL for trustpoint: VPN. Retrying with next CRL DP... From the details of the inter-CA the DP is indeed the same URL i don't understand why can't it verify the signature
Also DNS is set and resolve the URL so no problem from here
No comments:
Post a Comment