Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Hainich
Collaborator
Jump to solution

Endpoint VPN with ext. CA - cannot complete certificate chain

Hi,

endpoint-vpn with username/password is working well.

but with certificate from external ca it isnt working.

CA and SUBCA are setup as objects. ldap-accountunit is also setup.

i got the following error:

 

Time: 2019-06-28T12:52:51Z
Id: d977d512-0972-0000-5d16-0da300000000
Sequencenum: 2147483647
Category: Session
Event Type: Login
Name: Endpoint Security
Version: E81.00
Build Number: 986100516
User: yyy
Authentication Method: Certificate
User DN: CN=xxx,OU=Mitarbeiter,OU=Benutzer,OU=xxx,DC=intern,DC=xxx,DC=de
Certificate Fingerprint: 2f:79:67:2e:99:5b:95:68:83:8d:9c:c6:e3:ea:79:aa:8a:8d:30:69
Certificate Serial Number:74000004294ef08ececf626662000000000429
User Groups: ad_branch_Benutzer
Model: PC
OS Name: Windows
OS Version: 7
OS Edition: Professional
OS Service Pack: Service Pack 1
OS Build: 7601
OS Bits: 64bit
ID: C3DCD549-1354-4D35-A163-81495FDFDDF9
Re-authentication every:
Login Timestamp: 2019-06-28T12:52:51Z
Source Country: Germany
Source: ip
IP: ip
IP Protocol: 6
Destination Port: 443
Data Protocol: IPSec
Status: Failure
Reason: cannot complete certificate chain CN=yyy,OU=Mitarbeiter,OU=Benutzer,OU=xxx,DC=intern,DC=xxx,DC=de
Suppressed Logs: 0
Action: Failed Log In
Type: Log
Blade: Mobile Access
Origin: fw01
Service: TCP/443
Product Family: Access
Marker: @A@@B@1561712292@C@6990655
Index Time: 2019-06-28T12:52:51Z
Lastupdatetime: 1561726371000
Lastupdateseqnum: 2147483647
MAC Address: a0:b3:cc:c2:6e:bc
Stored: true
Name: hostname
Source Machine Name: ag-401-1324
Data Encryption: AES-256 + SHA1 + Group 2
Severity: Informational
Rounded Sent Bytes: 0
Confidence Level: N/A
Rounded Bytes: 0
Rounded Received Bytes: 0
OS: Windows 7 Professional Service Pack 1 64bit (build 7601)
Login Option Factors: Certificate

 

i think gateway needs certificate from external CA, but i cant import a certificate. creating csr works, but i got error from ca.

can anyone help, howto create cert for gateway? or is it another problem?

 

thanks 

daniel

1 Solution

Accepted Solutions
Daniel_Hainich
Collaborator

i have delete the root-ca and sub-ca, but i did not find the certificates within guidbedit.

i solved the problem with an reboot of the sms.

now all "old" certificates are gone and i recreate root-ca with bundled p7b certificate.

View solution in original post

8 Replies
Marco_Valenti
Advisor

Have you already imported your trusted ca on the management?

Once you have a certificate for the security gateway you need to specify wich certificat the vpn client need to use to authenticate in the vpn client gateway tab and then you need to move authentication to personal certificate , if you have a subca you need to import that too

 

0 Kudos
Daniel_Hainich
Collaborator
Hi, yes ca and subca are successfully Imported. I need Gateway certificate from subca with CSR. But I don't know how I finsh this CSR with Windows-CA.
PhoneBoy
Admin
Admin
Specifically when you import the root CA key, you need to include as part of the bundle all of the intermediate certificates that might be necessary.
Daniel_Hainich
Collaborator
I have added root-ca and sub-ca as 2 objects in mgmt. Do I have to bundle root and sub cert to add root-ca?
0 Kudos
PhoneBoy
Admin
Admin
Both the root and sub-ca need to be bundled and imported as a single object.
0 Kudos
Daniel_Hainich
Collaborator
i have delete root-ca and sub-ca to create a new one.
but now i got error:

Error: Certificate with the same Distinguished Name already installed for another CA.

how i can delete the certificate?

Management is on R80.20 Take 47

thanks
daniel
0 Kudos
Daniel_Hainich
Collaborator

i have delete the root-ca and sub-ca, but i did not find the certificates within guidbedit.

i solved the problem with an reboot of the sms.

now all "old" certificates are gone and i recreate root-ca with bundled p7b certificate.

spottex
Contributor

Reboot just fixed the issue for me.
I recreated it in a Lab so thought I would add this note for future readers.

My error was caused by adding Trusted and Sub CA's but discarding them before publishing. So...

DO NOT ‘Discard Changes’ in SmartConsole until Certs, Trusted and Subordinate CA’s are deleted in the correct order sub/intermediate/root (which you are forced to do anyway), or you will not be able to add the same CA’s until the manager is rebooted.

i.e. Delete VPN certs. Then Delete Sub. Then Intermediate. Then Root. Then discard changes.

Or publish the changes, then delete certs and CA's etc, and publish again.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events