fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Firewalls
  • Cisco
  • Cisco ASA - Certificate based IPSEC VPN "ERROR: Certificate validation failed. Peer certificate key usage is invalid"

Cisco ASA - Certificate based IPSEC VPN "ERROR: Certificate validation failed. Peer certificate key usage is invalid"

Error

When trying to connect using the Cisco VPN Client with certificate based authentication you receive the following error from you debug logs.

CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary

ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 210F2EDE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=xx

CRYPTO_PKI: Certificate not validated

Solution

This error can occur if the certificate doesn't have the digital signature key usage set.

To resolve this either :

  1. create a certificate with the digital signature key usage set. i.e if using a Windows 2008 CA then use the IPSEC certificate template.
  2. configure the ASA to ignore the IPSEC key usage. This configured using the following commands:

crypto ca trustpoint <trustpointname>
ignore-ipsec-keyusage

Tags: ASA, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001