cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution

Hi,

endpoint-vpn with username/password is working well.

but with certificate from external ca it isnt working.

CA and SUBCA are setup as objects. ldap-accountunit is also setup.

i got the following error:

 

Time: 2019-06-28T12:52:51Z
Id: d977d512-0972-0000-5d16-0da300000000
Sequencenum: 2147483647
Category: Session
Event Type: Login
Name: Endpoint Security
Version: E81.00
Build Number: 986100516
User: yyy
Authentication Method: Certificate
User DN: CN=xxx,OU=Mitarbeiter,OU=Benutzer,OU=xxx,DC=intern,DC=xxx,DC=de
Certificate Fingerprint: 2f:79:67:2e:99:5b:95:68:83:8d:9c:c6:e3:ea:79:aa:8a:8d:30:69
Certificate Serial Number:74000004294ef08ececf626662000000000429
User Groups: ad_branch_Benutzer
Model: PC
OS Name: Windows
OS Version: 7
OS Edition: Professional
OS Service Pack: Service Pack 1
OS Build: 7601
OS Bits: 64bit
ID: C3DCD549-1354-4D35-A163-81495FDFDDF9
Re-authentication every:
Login Timestamp: 2019-06-28T12:52:51Z
Source Country: Germany
Source: ip
IP: ip
IP Protocol: 6
Destination Port: 443
Data Protocol: IPSec
Status: Failure
Reason: cannot complete certificate chain CN=yyy,OU=Mitarbeiter,OU=Benutzer,OU=xxx,DC=intern,DC=xxx,DC=de
Suppressed Logs: 0
Action: Failed Log In
Type: Log
Blade: Mobile Access
Origin: fw01
Service: TCP/443
Product Family: Access
Marker: @A@@B@1561712292@C@6990655
Index Time: 2019-06-28T12:52:51Z
Lastupdatetime: 1561726371000
Lastupdateseqnum: 2147483647
MAC Address: a0:b3:cc:c2:6e:bc
Stored: true
Name: hostname
Source Machine Name: ag-401-1324
Data Encryption: AES-256 + SHA1 + Group 2
Severity: Informational
Rounded Sent Bytes: 0
Confidence Level: N/A
Rounded Bytes: 0
Rounded Received Bytes: 0
OS: Windows 7 Professional Service Pack 1 64bit (build 7601)
Login Option Factors: Certificate

 

i think gateway needs certificate from external CA, but i cant import a certificate. creating csr works, but i got error from ca.

can anyone help, howto create cert for gateway? or is it another problem?

 

thanks 

daniel

1 Solution

Accepted Solutions

Re: Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution

i have delete the root-ca and sub-ca, but i did not find the certificates within guidbedit.

i solved the problem with an reboot of the sms.

now all "old" certificates are gone and i recreate root-ca with bundled p7b certificate.

7 Replies

Re: Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution

Have you already imported your trusted ca on the management?

Once you have a certificate for the security gateway you need to specify wich certificat the vpn client need to use to authenticate in the vpn client gateway tab and then you need to move authentication to personal certificate , if you have a subca you need to import that too

 

0 Kudos

Re: Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution
Hi, yes ca and subca are successfully Imported. I need Gateway certificate from subca with CSR. But I don't know how I finsh this CSR with Windows-CA.
Admin
Admin

Re: Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution
Specifically when you import the root CA key, you need to include as part of the bundle all of the intermediate certificates that might be necessary.

Re: Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution
I have added root-ca and sub-ca as 2 objects in mgmt. Do I have to bundle root and sub cert to add root-ca?
0 Kudos
Admin
Admin

Re: Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution
Both the root and sub-ca need to be bundled and imported as a single object.
0 Kudos

Re: Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution
i have delete root-ca and sub-ca to create a new one.
but now i got error:

Error: Certificate with the same Distinguished Name already installed for another CA.

how i can delete the certificate?

Management is on R80.20 Take 47

thanks
daniel
0 Kudos

Re: Endpoint VPN with ext. CA - cannot complete certificate chain

Jump to solution

i have delete the root-ca and sub-ca, but i did not find the certificates within guidbedit.

i solved the problem with an reboot of the sms.

now all "old" certificates are gone and i recreate root-ca with bundled p7b certificate.