Cisco ASA ERROR: Certificate validation failed. Peer certificate key usage is invalid

Error

When trying to connect using the Cisco VPN Client with certificate based authentication you receive the following error from you debug logs.

CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary

ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 210F2EDE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=xx

CRYPTO_PKI: Certificate not validated

Solution

This error can occur if the certificate doesn’t have the digital signature key usage set.

To resolve this either :

1. create a certificate with the digital signature key usage set. i.e if using a Windows 2008 CA then use the IPSEC certificate template.
2. configure the ASA to ignore the IPSEC key usage. This configured using the following commands:

crypto ca trustpoint <trustpointname>
ignore-ipsec-keyusage

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial